lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 28 Jul 2021 09:32:42 -0700
From:   Yuchung Cheng <ycheng@...gle.com>
To:     pavel@...x.de
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Wei Wang <weiwan@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Neal Cardwell <ncardwell@...gle.com>,
        Soheil Hassas Yeganeh <soheil@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH 5.10 099/167] tcp: disable TFO blackhole logic by default

On Wed, Jul 28, 2021 at 3:12 AM Pavel Machek <pavel@...x.de> wrote:
>
> Hi!
>
> > [ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]
> >
> > Multiple complaints have been raised from the TFO users on the internet
> > stating that the TFO blackhole logic is too aggressive and gets falsely
> > triggered too often.
> > (e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)
> > Considering that most middleboxes no longer drop TFO packets, we decide
> > to disable the blackhole logic by setting
> > /proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by
> > default.
>
> I understand this makes sense for mainline, but should we have this in
> stable? Somebody may still be using broken middlebox with their
> "stable" server.
Thank you Pavel for raising this issue. You made a good point.

The enabled-by-default policy has caused disruptions to applications.
We have received quite a few others over the years beside the cited
report. Other major TFO implementations (e.g. iOS, Windows) do not
have such mechanisms and seem to work fine.

On the other hand maybe we do not hear middlebox issues because this
mechanism is working. So I am okay to avoid applying to stable and
keep in net-next to test this new policy.

>
> Best regards,
>                                                                 Pavel
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ