Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should enable CONFIG_SYN_COOKIES on ARM kernels? #504

Closed
williamspatrick opened this issue Aug 8, 2016 · 1 comment
Closed

Should enable CONFIG_SYN_COOKIES on ARM kernels? #504

williamspatrick opened this issue Aug 8, 2016 · 1 comment
Assignees
@shenki
Milestone
openBMC v2.0 Backlog

Comments

@williamspatrick
Copy link
Member

See openbmc/phosphor-rest-server#24 for full context.

@shenki - We are still investigating overall, but do you think we should CONFIG_SYN_COOKIES=y in the kernels?
@williamspatrick williamspatrick added this to the openBMC v2.0 Backlog milestone Aug 8, 2016
@amboar
Copy link
Member

amboar commented Aug 9, 2016

Here is an interesting drawback to syn cookies:

A problem arises when the connection-finalizing ACK packet sent by the client is lost, and the application layer protocol requires the server to speak first (SMTP and SSH are two examples). In this case, the client assumes that the connection was established successfully and waits for the server to send its protocol banner, or resend the SYN+ACK packet; however, the server is not aware of the session and will not resend the SYN+ACK because it discarded the backlog queue entry that would enable it to do so. Eventually, the client will abort the connection due to an application layer timeout, but this may take a relatively long time.

SSH would be the main concern.

https://en.wikipedia.org/wiki/SYN_cookies#Drawbacks

williamspatrick pushed a commit to openbmc/meta-aspeed that referenced this issue Jun 30, 2017
@shenki @williamspatrick
linux-obmc: Unifiy defconfigs
0c444ee 
Minimaise the differences between the ast2400 and ast2500 defconifgs.

ast2500 changes:
 - Enable IPv6
 - Disable unused compression algorithms
 - Enable SYN cookies
   * resolves openbmc/openbmc#504
 - Enable kenrel hardening features
 - Disable unused USB support
 - Enable earlyprintk
 - Disable support for ancient libc

ast2400 changes:
 - Remove unused configfs support
 - Disable IPv6 IPSec support

Change-Id: Id1e388723160541de80b26c378b87a1a2da8091e
Signed-off-by: Joel Stanley <joel@jms.id.au>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shenki shenki

Labels
None yet
Projects
None yet
Milestone
openBMC v2.0 Backlog
Development

No branches or pull requests
3 participants
@williamspatrick @shenki @amboar