Re: [PATCH] tcp: Use absolute system clock for TCP timestamps
From: Florian Westphal
Date: Thu Sep 24 2015 - 11:30:15 EST
Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> On Thu, Sep 24, 2015 at 7:14 AM, Jovi Zhangwei <jovi@xxxxxxxxxxxxxx> wrote:
> > From f455dc3958593250909627474100f6cc5c158a5c Mon Sep 17 00:00:00 2001
> > From: Marek Majkowski <marek@xxxxxxxxxxxxxx>
> > Date: Fri, 11 Sep 2015 06:05:07 -0700
> > Subject: [PATCH] tcp: Use absolute system clock for TCP timestamps
> > Using TCP timestamps is beneficial due for to its purpose in PAWS and when
> > its role when SYN cookies are enabled. In practice though TCP timestamps are
> > often disabled due to being a perceived security issue - they leak Linux
> > system uptime.
> > This patch introduces a kernel option that makes TCP timestamp always return
> > an absolute value derived from a system clock as opposed to jiffies from
> > boot.
> > This patch is based on the approach taken by grsecurity:
> > https://grsecurity.net/~spender/random_timestamp.diff
I did not see the proposed patch because it didn't make this list,
but I do not like the patch linked to above.
With HZ=1000 the clock wraps every 49 days anyway.
If thats is still deemed a problem, then the proposed solution doesn't
help since all this does is add some 'random uptime' when the machine
is booted so remote monitoring will easily give a good approximation of
Really, where is the problem...?
> TCP stack uses tcp_time_stamp internally, we do not want to add
> overhead adding an offset on all places.
> tp->lsndtime is an example, but we have others.
> Therefore, I suggest you add a new function and use it only where needed.
Agreed, the mangling should only be performed when writing ts stamp
into tcp header, and undone when reading ts echo from network.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/