TCP SYN cookies and Bug #520668
Hello,
There has been a bug opened for a while to enable TCP SYN cookies by
default. The current situation is /etc/sysctl.conf has this option, but
it is commented out.
The procps (sysctl.conf) bug is http://bugs.debian.org/520668 you may
also like to read the discussion about tcp(7) man page at
http://bugs.debian.org/253588 which discusses the mechanism too.
The general argument seems to be that:
- SYN cookies, when activated, break certain options like large windows
within TCP
The counter-argument is that:
- Under the circumstances you have cookies activated your backlog is
full so you lose the TCP session anyhow.
While initially skeptical, I can see that under high TCP loads having
some sort of connection is better than having no connection. Connections
with large windows will be dropped, but they would be anyhow.
My proposal is to change sysctl.conf so by default it will have TCP SYN
cookies ENABLED. Anyone is quite able to change this but the default is
proposed to be enabled.
Before I make this change, I am emailling debian-devel for comments. I
am looking in particular for information about why it could be harmful
(if it is).
Please CC the BTS so I've got some tracking of it, thankyou!
- Craig
Further references:
http://cr.yp.to/syncookies.html
http://lwn.net/Articles/277146/
http://en.wikipedia.org/wiki/SYN_cookies
--
Craig Small GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
http://www.enc.com.au/ csmall at : enc.com.au
http://www.debian.org/ Debian GNU/Linux, software should be Free
Reply to: