Add sysctl to use per end point pair TCP timestamp offsets instead of per connection based offsets
ClosedPublic
Actions

Authored by tuexen on Jul 17 2019, 6:16 PM.

Details

Reviewers

jtl
rrs
rscheff
bz

Group Reviewers

manpages
transport

Commits

rS351993: MFC r350265:
rS350265: Add a sysctl variable ts_offset_per_conn to change the computation

Summary

r338053 changed the way, the initial TCP timestamp is computed: It is based on the TCP connection (taking both IP addresses and port numbers into account). This is recommended in RFC 7323.

On the freebsd-net mailing list there were reports that this results in problems with some hosts. They can be reproduced by using:

curl -v http://88.99.60.171:80
curl -v http://163.172.71.252:80
curl -v http://5.9.242.150:80
curl -v https://vitagramma.com
curl -v https://185.134.205.105:443
curl -v https://136.243.1.231:443
curl -v https://144.76.196.4:443
curl -v http://94.127.191.194:80
curl -v https://volia.com
curl -v https://moemisto.ua
curl -v https://fotostrana.ru

By testing it seems:

The problem occurs when the server sends a FIN-segment first, which means it ends up in TIMEWAIT.
The SYN-segments with smaller TS.val than used before are dropped.
The comparison of the TS.val is performed even when the client and server port numbers change. This means that a connections to the ssh server might impact connections to the web server.

Therefore a new sysctl-variable ts_offset_per_conn is introduced which will allow to change the computation to a per host pair offset (taking only the IP addresses into account).