Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Responder Cookie

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Eric Dumazet

Subject: Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Responder Cookie

Date: Sunday, November 1, 2009 - 11:03 am

William Allen Simpson a écrit :
quoted text> Since October 4th, I've repeatedly asked publicly for assistance with these
> Linux-specific memory locking constructs and cryptography.  I've also sent
> private messages.  No help has been forthcoming.  None.  Nada.
> 
> At this point, I've spent weeks re-spinning code that I'd understood was
> approved a year ago.  The whole project should have been finished by now!

Your messages on netdev are two weeks old, not one year, and came during
LKS. Many developpers were busy in Japan.

quoted text> 
> So, I'll try a larger audience.  Could somebody take a look at my usage of
> read and write locking?
> 
> NB, I'm trying to port some 15-year-old fairly simple and straightforward
> (single cpu) code from the KA9Q cooperative multitasking platform.
> 
> I've examined existing code used for syncookies and TCP MD5 authenticators.
> Neither meets my needs, as this secret is updated every few minutes.  Both
> have very different approaches.  They are rarely used.  My code will be
> used on the order of tens of thousands of connections per second.
> 
> Moreover, it seems to my naive eye that the syncookie per cpu code simply
> doesn't work properly.  The workspace is allocated per cpu, but the cpu
> could change during the extensive SHA1 computations.  Bug?
> 
> Therefore, I'm approaching this as simply as possible.  I'm particularly
> concerned about the initialization and cache state of memory pointers.
> 
> Does the locking handle this?  Or is there more to be done?
> 

This patch looks fine, but I dont see how this new function is used.

Some points :

1) We are working hard to remove rwlocks from network stack, so please dont
add a new one. You probably can use a seqlock or RCU, or a server handling 
10.000 connections request per second on many NIC will hit this rwlock.

2) 

	} else if (unlikely(time_after(jiffy, tcp_secret_primary->expires))) {
		get_random_bytes(secrets, sizeof(secrets));

		write_lock(&tcp_secret_locker);

It would be better to first get the lock, then get random_bytes, in order
not wasting entropy.


3) If you change secret ever 600 seconds, it might be better to use a timer
so that you dont have to check expiration and this logic at each SYN packet.
(Disociate the lookup (read-only, done many time per second) from the updates
(trigerred by a timer every 600 secs))

(Not counting you'll probably need to use a similar lookup algo for the ACK
packet coming from client)




--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[net-next-2.6 PATCH RFC] TCPCT part 1d: generate Responder ..., William Allen Simpson, (Fri Oct 30, 4:00 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Fri Oct 30, 11:11 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Sun Nov 1, 6:01 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Sun Nov 1, 11:03 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Mon Nov 2, 3:39 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., David Miller, (Mon Nov 2, 3:50 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Mon Nov 2, 3:56 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Mon Nov 2, 5:36 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Mon Nov 2, 6:16 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Mon Nov 2, 10:21 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Mon Nov 2, 10:42 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Tue Nov 3, 3:38 pm)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Tue Nov 3, 4:03 pm)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Paul E. McKenney, (Wed Nov 4, 2:48 pm)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Thu Nov 5, 5:17 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Thu Nov 5, 5:45 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Thu Nov 5, 6:19 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Eric Dumazet, (Thu Nov 5, 6:34 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., Paul E. McKenney, (Thu Nov 5, 7:59 am)

Re: [net-next-2.6 PATCH RFC] TCPCT part 1d: generate Respo ..., William Allen Simpson, (Thu Nov 5, 12:44 pm)

Navigation

Popular discussions


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Hugh Dickins	Re: Linux 2.6.26-rc1 - pgtable_32.c:178 pmd_bad
Bernhard Beck	[PATCH 001/001] usb-serial: Add ThinkOptics WavIT
Oleg Nesterov	Re: [PATCH 4/5] don't panic if /sbin/init exits or killed
Greg KH	[patch 07/21] rtc-pcf8563: detect polarity of century bit automatically
git:
Jonathan del Strother	Re: [PATCH] Fixing path quoting issues
Gerrit Pape	[PATCH] fix skipping merge-order test with NO_OPENSSL=1.
Linus Torvalds	Re: Implementing branch attributes in git config
Johannes Schindelin	Re: Trying to use git-filter-branch to compress history by removing large, obsolet...
Gerrit Pape	[PATCH] hooks--update: fix test for properly set up project description file
linux-netdev:
David Miller	Re: [PATCH 04/15] tg3: Preserve LAA when device control is released
Jean-Louis Dupond	Re: tg3 driver not advertising 1000mbit
Sven Wegener	[PATCH] ipvs: Add missing locking during connection table hashing and unhashing
David Miller	Re: [PATCH] qlcnic: dont assume NET_IP_ALIGN is 2
Stephen Hemminger	[PATCH 2/2] sky2: fix transmit state on resume
git-commits-head:
Linux Kernel Mailing List	[SCSI] scsi ioctl: fix kernel-doc warning
Linux Kernel Mailing List	ALSA: HDA - Correct trivial typos in comments.
Linux Kernel Mailing List	i2c-viapro: Add support for SMBus Process Call transactions
Linux Kernel Mailing List	i2c: Documentation: upgrading clients HOWTO
Linux Kernel Mailing List	[PATCH] fix sysctl_nr_open bugs
openbsd-misc:
Die Gestalt	Re: How to re-build openssl with SHA1 support?
Edwin Eyan Moragas	Re: managing routes for multiple PPPoE connections
Brian Candler	Re: OBSD's perspective on SELinux
Jonathan Schleifer	Why is getaddrinfo breaking POSIX?
Predrag Punosevac	Re: Kernel developers guide/tutorial

Colocation donated by:

Syndicate