On Sat, 14 May 2005, jensen galan wrote:
Also, does anybody know of any work related to using syncookies AND being able to use TCP options such as large windows and SACK?
The main problem in doing this is that you have very limited space for negotiating options in the SYN cookie. Each additional data bit you encode into the cookie decreases the security level and reliability of the cookie.
Adding SACK support should not be too big of an issue as it only requires a single bit, and to maintain security you could reduce the MSS selection by one bit by carefully selecting which MSS values you support, or you could go aggressive about it and only provide a very limited number of MSS values without SACK. Window scaling is worse as it requires more data.
With some statistics on common use it should be possible to build a more elaborate table describing the common cases of MSS+SACK+WSCALE, allowing a richer negotiation in the common cases without sacrifying security of the cookie.
Regards Henrik - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
