- Add a Q2 report on improved TCP SYN cookies

Submitted by:	andre

en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml

@@ -18,7 +18,7 @@
 
     <!-- XXX: keep updating the number of entries -->
     <p>Thanks to all the reporters for the excellent work!  This report
-      contains 28 entries and we hope you enjoy reading it.</p>
+      contains 29 entries and we hope you enjoy reading it.</p>
 
     <!-- XXX: set date for the next set of submissions -->
     <p>The deadline for submissions covering between July and September 2013
@@ -1579,4 +1579,84 @@ functionality through <tt>pkg(8)</tt>.</task>
 	and <tt>CAP_RECV_RIGHTS</tt>.</task>
     </help>
   </project>
+
+  <project cat='kern'>
+    <title>Improved TCP SYN Cookies</title>
+
+    <contact>
+      <person>
+	<name>
+	  <given>Andre</given>
+	  <common>Oppermann</common>
+	</name>
+	<email>andre@FreeBSD.org</email>
+      </person>
+    </contact>
+
+    <links>
+      <url href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=28838+0+current/freebsd-net">Description</url>
+      <url href="http://people.freebsd.org/~andre/syncookie-20130708.diff">Patch</url>
+    </links>
+
+    <body>
+      <p>We have had a SYN cookie implementation for quite some time now
+	but it has some limitations with current realities for window
+	scaling and SACK encoding the in the few available bits.</p>
+
+      <p>This patch updates and improves SYN cookies mainly by:</p>
+
+      <ol>
+	<li>Encoding of MSS, WSCALE (window scaling) and SACK into the
+	  ISN (initial sequence number) without the use of timestamp
+	  bits.</li>
+
+	<li>Switching to the very fast and cryptographically strong
+	  SipHash-2-4 hash MAC algorithm to protect the SYN cookie
+	  against forgery.</li>
+      </ol>
+
+      <p>The common parameters used on TCP sessions have changed quite a
+	bit since SYN cookies very invented some 17 years ago.  Today we
+	have a lot more bandwidth which makes the use window scaling
+	almost mandatory.  Also SACK has become standard as it makes
+	recovering from packet loss much more efficient.</p>
+
+      <p>The original SYN cookies method only stored an indexed MSS
+	values in the cookie.  This obviously is not sufficient anymore
+	and breaks in the presence of WSCALE.  WSCALE information is
+	only exchanged during SYN and SYN-ACK.  If we cannot keep track
+	of it then we severely underestimate the available send or
+	receive window, compounded with the fact that with large window
+	scaling the window size information on the TCP segment header
+	would be even lower numerically.</p>
+
+      <p>A number of years back SYN cookies have been extended to store
+	the additional state in the TCP timestamp fields, if available
+	on a connection.  It has been adopted by Linux as well.  While
+	timestamps are common among the BSD, Linux and other Unix
+	systems, Windows never enabled them by default, thus they are
+	not present for the vast majority of clients seen on the
+	Internet.</p>
+
+      <p>The new improvement in this patch moves all necessary
+	information into the ISN again removing the need for timestamps.
+	Both the MSS and send WSCALE are stored in 3 bit indexed form
+	together with a single bit for SACK.  While we cannot represent
+	all possible MSS and WSCALE values, both are 16 bit fields in
+	the TCP header, in only 3 bits each this, it turns out, is not
+	actually necessary.</p>
+
+      <p>These improvements allow one to run with SYN cookies only on
+	Internet-facing servers.  However while SYN cookies are
+	calculated and sent all the time, they are only used when the
+	syn cache overflows due to attacks or overload.  In that cause
+	though, you can rest assured that no significant degradation in
+	TCP connection setup happens anymore and that even Windows
+	clients can make use of window scaling and SACK.</p>
+    </body>
+
+    <help>
+      <task>Additional testing on busy servers.</task>
+    </help>
+  </project>
 </report>