| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jul 2017 09:27:50 +0200 From: Willy Tarreau <w@....eu> To: Klavs Klavsen <kl@...n.dk> Cc: Eric Dumazet <eric.dumazet@...il.com>, netdev@...r.kernel.org Subject: Re: TCP fast retransmit issues On Fri, Jul 28, 2017 at 08:36:49AM +0200, Klavs Klavsen wrote: > The network guys know what caused it. > > Appearently on (atleast some) Cisco equipment the feature: > > TCP Sequence Number Randomization > > is enabled by default. I didn't want to suggest names but since you did it first ;-) Indeed it's mostly on the same device that I've been bothered a lot by their annoying randomization. I used to know by memory the exact command to type to disable it, but I don't anymore (something along "no randomization"). The other trouble it causes is retransmits of the first SYN when your source ports wrap too fast (ie when installed after a proxy). The SYNs reaching the other end find a session in TIME_WAIT, but the SYN sometimes lands in the previous window and leads to an ACK instead of a SYN-ACK, which the firewall blocks. This was easily worked around using timestamps on both sides thanks to PAWS. But disabling the broken feature is better. And no, "more secure" is not an excuse for "broken". > It would most definetely be beneficial if Linux handled SACK "not working" > better than it does - but then I might never have found the culprit who > destroyed SACK :) Yep ;-) Willy
Powered by blists - more mailing lists