login
Search
Andre Oppermann has posted a patch which completely revises FreeBSD's TCP reassembly code, increasing efficiency and scalability of fragmented packet reassembly with impressive initial test results. Oppermann writes:
"I've totally rewritten the TCP reassembly function to be a lot more
efficient. In tests with normal bw*delay products and packet loss
plus severe reordering I've measured an improvment of at least 30% in
performance. For high and very high bw*delay product links the
performance improvement is most likely much higher."
Those with spare cycles may want to give it a try. Read on for the entirety of Oppermann's educational post and a link to the patch.
From: Andre Oppermann [email blocked] To: freebsd-net Cc: freebsd-current Subject: Rewritten TCP reassembly Date: 2004-12-10 20:01:12 I've totally rewritten the TCP reassembly function to be a lot more efficient. In tests with normal bw*delay products and packet loss plus severe reordering I've measured an improvment of at least 30% in performance. For high and very high bw*delay product links the performance improvement is most likely much higher. The main property of the new code is O(1) insert for 95% of all normal reassembly cases. If there is more than one hole the insert time is O(holes). If a packet arrives that closes a hole the chains to the left and right are merged. Artificially constructed worst case is O(n). No malloc's are done for new segments. The old code was O(n) in all cases plus n*malloc for a describing structure. There are some problems with the new code I will fix before committing it to the tree. One is it can't handle non-writeable mbuf's and the other is too little leading space in the mbuf (found only on loopback interface, but there we don't have packet loss). Once these two are dealed with it is ready to go in. Nothing is perfect and this code is only a first significant step over what we have currently in the tree, especially for transfers over lossy (wireless) and high speed links with and without packet reordering. I have the next steps already in the works which will further optimize (worst case O(windowsize/mclusters) instead of O(n)) and simplify a bit more again. The patch can be found here: http://www.nrg4u.com/freebsd/tcp_reass-20041210.patch Please test and report good and bad news back. -- Andre
TCP/IP flaws!!!
Linux must to have the TCP/IP stack as library in userspace.
NOT MORE REMOTE ATTACK!!!
Time to up your meds...
A couple minor points: This is a BSD article, not Linux. Moving stuff to userspace doesn't make it uncompromisable.
but when it's in userspace th
but when it's in userspace then if it IS compromised, it (theoretically) doesn't bring down the entire system. Perhaps the grandparent may want to look at a microkernel-based system such as GNU's HURD.
Fair enough
Fair enough, but don't you think we've spun sufficiently off-topic to kill this thread?
Anyway, to your comment (so we have /some/ signal to go with this noise): Without a full-blown capabilities based OS (such as EROS), you end up having to run such central services with such high privileges that any vulnerability becomes a remote-root vulnerability. You also lose (or make more difficult) the ability to make use of hardware TCP accelerators.
Sure, chroot and jail help contain attacks, but if you compromise TCP/IP, you get to sniff (and change!) all the streams going in and out of the machine. Talk about a Man-in-the-Middle attack!
Rewritten TCP reassembly - FreeBSD 4.11 Stable
(pls give me some break if I'm being too "nerd" )
1) May I apply the Andre Oppermann's path to FreeBSD 4.11 Stable?
2) If yes, it would be "good" ? (my TCP would be faster?)
3) What about un ordered fragment packets (denial of service attack) ?
Thanks
FMS