Bob Beck is an OpenBSD developer from Edmonton in Canada. He's one of around 60 OpenBSD developers currently working in an undisclosed hotel somewhere in downtown Calgary at the 2005 OpenBSD hackathon [story]. Bob was involved in setting up the infrastructure [story], and was responsible for the annual barbecue at OpenBSD creator Theo de Raadt [interview]'s house [story]. Following these two days of effort that helped to make the hackathon possible, he finally sat down to work on spamd and catch up on email. One of the emails in his inbox caught his attention, leading to a day's effort about which he notes, "some Days end up far far far from where they start."
In the following article, Bob provides a first-person account of tracking down what began simply as a RAID performance issue, but ultimately turned out to be a problem with the idle loop that when fixed resulted in an impressive performance boost. Bob noted, "the idle loop is where the kernel spins when there is no work to do in userland, because of this, it's also where we catch and service many of our interrupts from drivers that may queue work to the device and then tsleep waiting for an interrupt from the card saying the work is done." Bob went on to explain that prior to today's fix, interrupts were handled appropriately when there was userland work happening, but not when there was nothing happening in userland and the kernel was simply waiting for device input/output. Read on for Bob's full account of the day, leading up to the discovery of the problem and the implementation of the fix, including performance numbers.
A month before the official release of OpenBSD 3.7 [forum], OpenBSD creator Theo de Raadt [interview] anounced the availability of the official release song titled, "Wizard of OS". Each release of OpenBSD has its own song with a unique sound and theme [story], each available for download in ogg and mp3 format. The Wizard of OS is ten minutes long and inspired by Pink Floyd's Dark Side of the Moon album, a playfully appropriate matchup. Theo describes the theme as relating to "something big we have been dealing with over the last 6 months of the release -- our fight to get programming documentation and redistributable firmwares [story]." He goes on to suggest:
"Want to help us? Avoid Intel Centrino, Broadcom, TI, or Connexant PrismGT chipsets. Heck, avoid buying even regular old pre-G Prism products, to send a message. If you can, buy 802.11 products using chips by Realtek, Ralink, Atmel, ADMTek, Atheros. Our manual pages attempt to explain which vendors (ie. D-Link) box which chipsets into which product."
The OpenBSD project has long been associated with security. Indeed, thanks to proactively and regularly auditing its code, the project's web site is able to boast "only one remote hole in the default install, in more than 8 years," and another page states "our aspiration is to be NUMBER ONE in the industry for security (if we are not already there)." However, security is not the only focus of OpenBSD, as reflected in the project's slogan which reads, "Free, Functional and Secure." All three of these words are strongly backed by OpenBSD developers.
If you speak with OpenBSD creator Theo de Raadt for any length of time, you will quickly realize just how important freedom is to the project. For example, freedom was the driving force behind the now ubiquitous OpenSSH, developed within the OpenBSD project. It has also lead to the development of OpenNTPD, OpenCVS, and the widely used pf Packet filter [story]. In recognition of these many contributions, Theo recently received the 2004 Free Software Award from the Free Software Foundation. The freedom that the OpenBSD team works so hard for comes without any strings, patents, or conditions, distributed under the BSD license.
Currently, the OpenBSD project is focusing on wireless networking technology, working to convince hardware manufacturers to make the firmware for their wireless cards freely distributable. It sounds simple enough, but the effort has taken much persistence and perseverance. Many of today's corporations require the signing of non-disclosure agreements and other legal red tape prior to making firmware or documentation available, requirements that don't measure up to OpenBSD's standards for freedom.
OpenBSD creator Theo de Raadt [interview] announced that Intel has refused his request to permit that the firmware for their wireless chipsets be made freely distributable. He explains, "I had asked for free terms under which we (and Linux, anyone) can redistribute the firmwares for their wireless chipsets. Without these firmware files included in OpenBSD, users must go do some click-through license at some web site to get at the files. Without those files, these devices are just bits of metal, plastic, and sand." Intel is one of several companies being approached by OpenBSD in a coordinated effort to try and free up the availability of firmware for wireless chipsets [story]. Several vendors including Symbol, Zydas, and Atmel have responded favorably, licensing their firmwares so that they can be distributed freely with OpenBSD.
As to the reason Intel refused to update their licensing, Theo explained that they referenced obligations to outside parties. Further clarification as to exactly what that means was not provided by the company. Theo went on to note that though this concludes his dealings with Intel, users are still encouraged to contact them and express their concern for this policy, "maybe they will listen to enough customers, or they will learn to not make this mistake again with future chipsets. I for one have already decided that I will never recommend an Intel product to anyone ever if there is choice. (There is almost always choice)."
A vulnerability in TCP, the transmission control protocol, recently received some exposure in the media. Paul Watson released a white paper titled Slipping In The window: TCP Reset Attacks at the 2004 CanSecWest conference, providing a much better understanding of the real-world risks of TCP reset attacks.
To better understand the reality of this threat, KernelTrap spoke with Theo de Raadt [interview], the creator of OpenBSD, an operating system which among other goals proactively focuses on security. In this article, we aim to provide some background into the workings of TCP, and then to build upon this foundation to understand how resets attacks work.
This is the first article in a two part series. The second article will look into how TCP stacks can be hardened to defend against such attacks. Toward this goal, we spoke with members of the OpenBSD team to learn what they have done so far, and what further plans they have to minimize the impact of reset attacks.
The upcoming release of OpenBSD 3.3 on May 1'st will include, among many other improvements, a notably enhanced version of PF, OpenBSD's stateful packet filter. Some of the more significant enhancements to PF include: 'queues', allowing for per-rule bandwidth control [story]; 'pool options', allowing one to utilize multiple uplinks and to intelligently redirect traffic to multiple servers; 'anchors', which allow one to divide packet filtering rule lists into logical pieces; 'tables', efficiently allowing for very large lists; and other parser improvements that make an already friendly syntax more human readable.
PF replaced its predecessor, IPF, with the release of OpenBSD 3.0 in December of 2001. Since that time, this impressive and relatively new packet filter has grown a faithful following (myself included), and continues to evolve rapidly with each new OpenBSD release. Perhaps the greatest compliment, developers have begun to port PF to other operating systems. Back in January, Joel Wilsson announced his effort to port PF to NetBSD. And more recently, Pyun YongHyeon announced his port for FreeBSD.
I approached Pyun to learn more about his recent porting efforts. In the following article he explains why he began working on this port, and what FreeBSD users can expect from the project. Additionally, I spoke with PF creator Daniel Hartmeier [interview], PF developer Henning Brauer, and OpenBSD creator Theo de Raadt [interview]. They all reflect on these recent porting efforts, as well as the exciting new features found in OpenBSD's PF.