Page MenuHomeFreeBSD

Add sysctl to use per end point pair TCP timestamp offsets instead of per connection based offsets
ClosedPublic

Authored by tuexen on Jul 17 2019, 6:16 PM.

Details

Summary

r338053 changed the way, the initial TCP timestamp is computed: It is based on the TCP connection (taking both IP addresses and port numbers into account). This is recommended in RFC 7323.

On the freebsd-net mailing list there were reports that this results in problems with some hosts. They can be reproduced by using:

  • curl -v http://88.99.60.171:80
  • curl -v http://163.172.71.252:80
  • curl -v http://5.9.242.150:80
  • curl -v https://vitagramma.com
  • curl -v https://185.134.205.105:443
  • curl -v https://136.243.1.231:443
  • curl -v https://144.76.196.4:443
  • curl -v http://94.127.191.194:80
  • curl -v https://volia.com
  • curl -v https://moemisto.ua
  • curl -v https://fotostrana.ru

By testing it seems:

  • The problem occurs when the server sends a FIN-segment first, which means it ends up in TIMEWAIT.
  • The SYN-segments with smaller TS.val than used before are dropped.
  • The comparison of the TS.val is performed even when the client and server port numbers change. This means that a connections to the ssh server might impact connections to the web server.

Therefore a new sysctl-variable ts_offset_per_conn is introduced which will allow to change the computation to a per host pair offset (taking only the IP addresses into account).

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

tuexen created this revision.Jul 17 2019, 6:16 PM
rrs accepted this revision.Jul 18 2019, 11:26 AM
This revision is now accepted and ready to land.Jul 18 2019, 11:26 AM