lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 May 2019 22:07:02 +0100
From:   Jeremy Sowden <jeremy@...zel.net>
To:     Jason Baron <jbaron@...mai.com>
Cc:     davem@...emloft.net, edumazet@...gle.com, ycheng@...gle.com,
        ilubashe@...mai.com, netdev@...r.kernel.org,
        Christoph Paasch <cpaasch@...le.com>
Subject: Re: [PATCH net-next 5/6] Documentation: ip-sysctl.txt: Document
 tcp_fastopen_key

On 2019-05-22, at 16:39:37 -0400, Jason Baron wrote:
> Add docs for /proc/sys/net/ipv4/tcp_fastopen_key
>
> Signed-off-by: Christoph Paasch <cpaasch@...le.com>
> Signed-off-by: Jason Baron <jbaron@...mai.com>
> ---
>  Documentation/networking/ip-sysctl.txt | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>
> diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
> index 14fe930..e8d848e 100644
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -648,6 +648,26 @@ tcp_fastopen_blackhole_timeout_sec - INTEGER
>  	0 to disable the blackhole detection.
>  	By default, it is set to 1hr.
>
> +tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
> +	The list consists of a primary key and an optional backup key. The
> +	primary key is used for both creating and validating cookies, while the
> +	optional backup key is only used for validating cookies. The purpose of
> +	the backup key is to maximize TFO validation when keys are rotated.
> +
> +	A randomly chosen primary key may be configured by the kernel if
> +	the tcp_fastopen sysctl is set to 0x400 (see above), or if the
> +	TCP_FASTOPEN setsockopt() optname is set and a key has not been
> +	previously configured via sysctl. If keys are configured via
> +	setsockopt() by using the TCP_FASTOPEN_KEY optname, then those
> +	per-socket keys will be used instead of any keys that are specified via
> +	sysctl.
> +
> +	A key is specified as 4 8-digit hexadecimal integers which are separted

"separated"

> +	by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be
> +	omitted. A primary and a backup key may be specified by separting them
> +	by a comma. If only one key is specified, it becomes the primary key and
> +	any previous backup keys are removed.
> +
>  tcp_syn_retries - INTEGER
>  	Number of times initial SYNs for an active TCP connection attempt
>  	will be retransmitted. Should not be higher than 127. Default value
> --
> 2.7.4
>
>

J.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ