Old Things
Discussion about D19622. hps@ is waiting for bz@ to let him know whether he is
Discussion about D16851. Broken into 4 reviews; needs some additional test cases; is close.
Discussion about Richard's review to do some cleanup in preparation for RFC 6675 support: D18624. jtl@ has an open question. tuexen@ will look into it. Looks good to jtl@ and tuexen@ on the surface, but tuexen@ still has not been able to Still pending.
Discussion about thj@'s presentation at IETF (actually delivered by Gorry on his behalf). Response from IETF was mixed, but it was clear that this is an optional feature we are free to drop. thj@ has a review to drop this: D19960. Tom to email FreeBSD lists to advertise review. tuexen@ reports on a fun fact about SCTP and jumbograms.
- Discussion about TCB size/organization. bz@ is looking into ways to automate cacheline usage analysis with a goal to enabling automatic structure organization optimization. No update.
New Things
- Richard reports an interesting case of possible data corruption with fragmented TCP segments. It needs more information.
tuexen@ proposes replacing MD5 with SIP hash for ISNs and time stamps. It has better performance, and we think it has sufficient security for this purpose. tuexen@ to notify security team in case they have concerns. D21616
- tuexen@ asks about how we should handle the case where an application specifies an infeasible size of IPv6 options. syzkaller has detected a panic with this. jtl@ suggests that we should add destination options to the fragmentable portion, if they aren't already. thj@ says we should reject sending packets where the ULP header is not in the first fragment. This may not be detectable until connect time, but you can return EMSGSIZE then.
- jtl@ asks for feedback on a proposal to stop adding new syn cache entries when the syn cache hash bucket is full. tuexen@ suggests we stop all syn cache processing (and fallback to cookies only) when under attack. tuexen@ suggests a heuristic of one bucket overflowed. This should be accompanied by a log entry so the administrator can take appropriate action (whether investigating the attack, increasing bucket sizes for normal traffic levels, or ignoring the message).
- thj@ reports that dummynet doesn't work in jails. tuexen@ gave some advice. thj@ will follow up with bz@.
- New congestion window validation: Richard explains why it would be helpful. thj@ suggests pacing will help here. thj@ will also ask Gorry for feedback.
Next Meeting
Next meeting is 26 Sep 2019 @ 1400 UTC.