Re: [PATCH 00/19] tcp: Initial support for RFC5925 auth option

From: Leonard Crestez
Date: Sat Sep 25 2021 - 10:21:22 EST




On 9/25/21 4:35 AM, David Ahern wrote:
On 9/23/21 1:38 AM, Leonard Crestez wrote:
On 9/22/21 11:23 PM, Francesco Ruggeri wrote:
On Tue, Sep 21, 2021 at 9:15 AM Leonard Crestez <cdleonard@xxxxxxxxx>
wrote:
* Sequence Number Extension not implemented so connections will flap
every ~4G of traffic.

Could you expand on this?
What exactly do you mean by flap? Will the connection be terminated?
I assume that depending on the initial sequence numbers the first flaps
may occur well before 4G.
Do you use a SNE of 0 in the hash computation, or do you just not include
the SNE in it?

SNE is hardcoded to zero, with the logical consequence of incorrect
signatures on sequence number wrapping. The SNE has to be included
because otherwise all signatures would be invalid.

You are correct that this can break much sooner than 4G of traffic, but
still in the GB range on average. I didn't test the exact behavior (not
clear how) but if signatures don't validate the connection will likely
timeout.


This is for BGP and LDP connections. What's the expected frequency of
rollover for large FIBs? Seems like it could be fairly often.

Implementing SNE is obviously required for standard conformance, I'm not claiming it is not needed. I will include this in a future version.

I skipped it because it has very few interactions with the rest of the code so it can be implemented separately. Many tests can pass just fine ignoring SNE.

--
Regards,
Leonard