Re: [PATCH] tcp: Use absolute system clock for TCP timestamps

From: Florian Westphal
Date: Thu Sep 24 2015 - 11:30:15 EST


Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> On Thu, Sep 24, 2015 at 7:14 AM, Jovi Zhangwei <jovi@xxxxxxxxxxxxxx> wrote:
> > From f455dc3958593250909627474100f6cc5c158a5c Mon Sep 17 00:00:00 2001
> > From: Marek Majkowski <marek@xxxxxxxxxxxxxx>
> > Date: Fri, 11 Sep 2015 06:05:07 -0700
> > Subject: [PATCH] tcp: Use absolute system clock for TCP timestamps
> >
> > Using TCP timestamps is beneficial due for to its purpose in PAWS and when
> > its role when SYN cookies are enabled. In practice though TCP timestamps are
> > often disabled due to being a perceived security issue - they leak Linux
> > system uptime.
> >
> > This patch introduces a kernel option that makes TCP timestamp always return
> > an absolute value derived from a system clock as opposed to jiffies from
> > boot.
> >
> > This patch is based on the approach taken by grsecurity:
> > https://grsecurity.net/~spender/random_timestamp.diff
> >

I did not see the proposed patch because it didn't make this list,
but I do not like the patch linked to above.

With HZ=1000 the clock wraps every 49 days anyway.
If thats is still deemed a problem, then the proposed solution doesn't
help since all this does is add some 'random uptime' when the machine
is booted so remote monitoring will easily give a good approximation of
real uptime.

Really, where is the problem...?

> TCP stack uses tcp_time_stamp internally, we do not want to add
> overhead adding an offset on all places.
>
> tp->lsndtime is an example, but we have others.
>
> Therefore, I suggest you add a new function and use it only where needed.

Agreed, the mangling should only be performed when writing ts stamp
into tcp header, and undone when reading ts echo from network.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/