Subject: Re: SYN cookie ?
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-kern
Date: 04/18/2001 10:57:51
Stateless SYN cookies are a clever idea not allowed for by the TCP
spec.

If the 3rd packet of the TCP 3-way handshake is lost, and the "client"
side has no data to send initially, it is the "server's"
responsibility to retransmit the SYN-ACK; if the server doesn't have
any connection state, it can't do the retransmission.  If the server
does retain state from the SYN, it almost certainly has room to
remember the ISS value it sent the client..

Certain application protocols (notably HTTP) always involve the client
speaking first; SYN cookies "work" for them because the client has
data to send and will retransmit.

Others (notably SSH, FTP, SMTP) involve the server speaking first and
the client waiting for a application-layer message before sending
anything -- and, for those protocols, if the ACK of the SYN-ACK is
lost, the clients will wait forever (or until the user or client loses
patience) for the server to retransmit.

					- Bill