1994-05-30 19:09:18 +00:00
|
|
|
.\" Copyright (c) 1983, 1991, 1993
|
|
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
|
|
.\" must display the following acknowledgement:
|
|
|
|
.\" This product includes software developed by the University of
|
|
|
|
.\" California, Berkeley and its contributors.
|
|
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
1995-02-15 03:30:54 +00:00
|
|
|
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1994-05-30 19:09:18 +00:00
|
|
|
.\"
|
2004-11-02 22:22:22 +00:00
|
|
|
.Dd November 2, 2004
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dt TCP 4
|
2001-07-10 15:31:11 +00:00
|
|
|
.Os
|
1994-05-30 19:09:18 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm tcp
|
|
|
|
.Nd Internet Transmission Control Protocol
|
|
|
|
.Sh SYNOPSIS
|
2001-10-01 16:09:29 +00:00
|
|
|
.In sys/types.h
|
|
|
|
.In sys/socket.h
|
|
|
|
.In netinet/in.h
|
1994-05-30 19:09:18 +00:00
|
|
|
.Ft int
|
|
|
|
.Fn socket AF_INET SOCK_STREAM 0
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Tn TCP
|
|
|
|
protocol provides reliable, flow-controlled, two-way
|
2003-03-22 13:43:06 +00:00
|
|
|
transmission of data.
|
|
|
|
It is a byte-stream protocol used to
|
1994-05-30 19:09:18 +00:00
|
|
|
support the
|
|
|
|
.Dv SOCK_STREAM
|
2003-03-22 13:43:06 +00:00
|
|
|
abstraction.
|
|
|
|
.Tn TCP
|
|
|
|
uses the standard
|
1994-05-30 19:09:18 +00:00
|
|
|
Internet address format and, in addition, provides a per-host
|
|
|
|
collection of
|
2003-03-22 13:43:06 +00:00
|
|
|
.Dq "port addresses" .
|
1994-05-30 19:09:18 +00:00
|
|
|
Thus, each address is composed
|
2003-03-22 13:43:06 +00:00
|
|
|
of an Internet address specifying the host and network,
|
|
|
|
with a specific
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
port on the host identifying the peer entity.
|
|
|
|
.Pp
|
2003-03-22 13:43:06 +00:00
|
|
|
Sockets utilizing the
|
|
|
|
.Tn TCP
|
|
|
|
protocol are either
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dq active
|
|
|
|
or
|
|
|
|
.Dq passive .
|
|
|
|
Active sockets initiate connections to passive
|
2003-03-22 13:43:06 +00:00
|
|
|
sockets.
|
|
|
|
By default,
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
sockets are created active; to create a
|
2003-03-22 13:43:06 +00:00
|
|
|
passive socket, the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr listen 2
|
|
|
|
system call must be used
|
|
|
|
after binding the socket with the
|
|
|
|
.Xr bind 2
|
2003-03-22 13:43:06 +00:00
|
|
|
system call.
|
|
|
|
Only passive sockets may use the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr accept 2
|
2003-03-22 13:43:06 +00:00
|
|
|
call to accept incoming connections.
|
|
|
|
Only active sockets may use the
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr connect 2
|
|
|
|
call to initiate connections.
|
1995-02-15 03:30:54 +00:00
|
|
|
.Tn TCP
|
|
|
|
also supports a more datagram-like mode, called Transaction
|
|
|
|
.Tn TCP ,
|
|
|
|
which is described in
|
|
|
|
.Xr ttcp 4 .
|
1994-05-30 19:09:18 +00:00
|
|
|
.Pp
|
|
|
|
Passive sockets may
|
|
|
|
.Dq underspecify
|
|
|
|
their location to match
|
2003-03-22 13:43:06 +00:00
|
|
|
incoming connection requests from multiple networks.
|
|
|
|
This technique, termed
|
|
|
|
.Dq "wildcard addressing" ,
|
1994-05-30 19:09:18 +00:00
|
|
|
allows a single
|
|
|
|
server to provide service to clients on multiple networks.
|
|
|
|
To create a socket which listens on all networks, the Internet
|
|
|
|
address
|
|
|
|
.Dv INADDR_ANY
|
2003-03-22 13:43:06 +00:00
|
|
|
must be bound.
|
|
|
|
The
|
1994-05-30 19:09:18 +00:00
|
|
|
.Tn TCP
|
|
|
|
port may still be specified
|
2003-03-22 13:43:06 +00:00
|
|
|
at this time; if the port is not specified, the system will assign one.
|
|
|
|
Once a connection has been established, the socket's address is
|
|
|
|
fixed by the peer entity's location.
|
|
|
|
The address assigned to the
|
1994-05-30 19:09:18 +00:00
|
|
|
socket is the address associated with the network interface
|
2003-03-22 13:43:06 +00:00
|
|
|
through which packets are being transmitted and received.
|
|
|
|
Normally, this address corresponds to the peer entity's network.
|
1994-05-30 19:09:18 +00:00
|
|
|
.Pp
|
|
|
|
.Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
supports a number of socket options which can be set with
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr setsockopt 2
|
|
|
|
and tested with
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr getsockopt 2 :
|
2004-06-16 08:33:57 +00:00
|
|
|
.Bl -tag -width ".Dv TCP_NODELAY"
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCP_NODELAY
|
1994-05-30 19:09:18 +00:00
|
|
|
Under most circumstances,
|
|
|
|
.Tn TCP
|
|
|
|
sends data when it is presented;
|
|
|
|
when outstanding data has not yet been acknowledged, it gathers
|
|
|
|
small amounts of output to be sent in a single packet once
|
|
|
|
an acknowledgement is received.
|
|
|
|
For a small number of clients, such as window systems
|
|
|
|
that send a stream of mouse events which receive no replies,
|
|
|
|
this packetization may cause significant delays.
|
1995-02-15 03:30:54 +00:00
|
|
|
The boolean option
|
1994-05-30 19:09:18 +00:00
|
|
|
.Dv TCP_NODELAY
|
1995-02-15 03:30:54 +00:00
|
|
|
defeats this algorithm.
|
|
|
|
.It Dv TCP_MAXSEG
|
2003-03-22 13:43:06 +00:00
|
|
|
By default, a sender- and
|
|
|
|
.No receiver- Ns Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
will negotiate among themselves to determine the maximum segment size
|
2003-03-22 13:43:06 +00:00
|
|
|
to be used for each connection.
|
|
|
|
The
|
1995-02-15 03:30:54 +00:00
|
|
|
.Dv TCP_MAXSEG
|
|
|
|
option allows the user to determine the result of this negotiation,
|
|
|
|
and to reduce it if desired.
|
|
|
|
.It Dv TCP_NOOPT
|
|
|
|
.Tn TCP
|
|
|
|
usually sends a number of options in each packet, corresponding to
|
|
|
|
various
|
|
|
|
.Tn TCP
|
2003-03-22 13:43:06 +00:00
|
|
|
extensions which are provided in this implementation.
|
|
|
|
The boolean option
|
1995-02-15 03:30:54 +00:00
|
|
|
.Dv TCP_NOOPT
|
2001-07-14 19:41:16 +00:00
|
|
|
is provided to disable
|
1995-02-15 03:30:54 +00:00
|
|
|
.Tn TCP
|
|
|
|
option use on a per-connection basis.
|
|
|
|
.It Dv TCP_NOPUSH
|
2003-03-22 13:43:06 +00:00
|
|
|
By convention, the
|
|
|
|
.No sender- Ns Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
will set the
|
|
|
|
.Dq push
|
2003-03-22 13:43:06 +00:00
|
|
|
bit, and begin transmission immediately (if permitted) at the end of
|
1995-02-15 03:30:54 +00:00
|
|
|
every user call to
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr write 2
|
1995-02-15 03:30:54 +00:00
|
|
|
or
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr writev 2 .
|
1995-02-15 03:30:54 +00:00
|
|
|
The
|
|
|
|
.Dv TCP_NOPUSH
|
|
|
|
option is provided to allow servers to easily make use of Transaction
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
|
|
|
(see
|
2001-01-16 09:32:40 +00:00
|
|
|
.Xr ttcp 4 ) .
|
2003-03-22 13:43:06 +00:00
|
|
|
When this option is set to a non-zero value,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Tn TCP
|
|
|
|
will delay sending any data at all until either the socket is closed,
|
|
|
|
or the internal send buffer is filled.
|
2004-02-16 22:21:16 +00:00
|
|
|
.It Dv TCP_MD5SIG
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
This option enables the use of MD5 digests (also known as TCP-MD5)
|
|
|
|
on writes to the specified socket.
|
|
|
|
In the current release, only outgoing traffic is digested;
|
|
|
|
digests on incoming traffic are not verified.
|
|
|
|
The current default behavior for the system is to respond to a system
|
|
|
|
advertising this option with TCP-MD5; this may change.
|
|
|
|
.Pp
|
2004-06-16 08:33:57 +00:00
|
|
|
One common use for this in a
|
|
|
|
.Fx
|
|
|
|
router deployment is to enable
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
based routers to interwork with Cisco equipment at peering points.
|
|
|
|
Support for this feature conforms to RFC 2385.
|
2004-06-16 08:33:57 +00:00
|
|
|
Only IPv4
|
|
|
|
.Pq Dv AF_INET
|
|
|
|
sessions are supported.
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.Pp
|
|
|
|
In order for this option to function correctly, it is necessary for the
|
|
|
|
administrator to add a tcp-md5 key entry to the system's security
|
|
|
|
associations database (SADB) using the
|
|
|
|
.Xr setkey 8
|
|
|
|
utility.
|
|
|
|
This entry must have an SPI of 0x1000 and can therefore only be specified
|
|
|
|
on a per-host basis at this time.
|
|
|
|
.Pp
|
|
|
|
If an SADB entry cannot be found for the destination, the outgoing traffic
|
|
|
|
will have an invalid digest option prepended, and the following error message
|
|
|
|
will be visible on the system console:
|
2004-02-14 22:17:38 +00:00
|
|
|
.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
|
1995-02-15 03:30:54 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
1994-05-30 19:09:18 +00:00
|
|
|
The option level for the
|
1996-04-08 04:18:31 +00:00
|
|
|
.Xr setsockopt 2
|
1994-05-30 19:09:18 +00:00
|
|
|
call is the protocol number for
|
|
|
|
.Tn TCP ,
|
|
|
|
available from
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr getprotobyname 3 ,
|
|
|
|
or
|
|
|
|
.Dv IPPROTO_TCP .
|
|
|
|
All options are declared in
|
2003-09-08 19:57:22 +00:00
|
|
|
.In netinet/tcp.h .
|
1994-05-30 19:09:18 +00:00
|
|
|
.Pp
|
|
|
|
Options at the
|
|
|
|
.Tn IP
|
|
|
|
transport level may be used with
|
|
|
|
.Tn TCP ;
|
|
|
|
see
|
|
|
|
.Xr ip 4 .
|
|
|
|
Incoming connection requests that are source-routed are noted,
|
|
|
|
and the reverse source route is used in responding.
|
2003-03-22 13:43:06 +00:00
|
|
|
.Ss MIB Variables
|
1995-02-15 03:30:54 +00:00
|
|
|
The
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
1999-08-17 14:54:26 +00:00
|
|
|
protocol implements a number of variables in the
|
2003-03-22 13:43:06 +00:00
|
|
|
.Va net.inet.tcp
|
1995-02-15 03:30:54 +00:00
|
|
|
branch of the
|
|
|
|
.Xr sysctl 3
|
|
|
|
MIB.
|
2004-11-02 22:22:22 +00:00
|
|
|
.Bl -tag -width ".Va TCPCTL_DO_RFC1323"
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCPCTL_DO_RFC1323
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va rfc1323
|
1995-02-15 03:30:54 +00:00
|
|
|
Implement the window scaling and timestamp options of RFC 1323
|
2003-03-22 13:43:06 +00:00
|
|
|
(default is true).
|
1995-02-15 03:30:54 +00:00
|
|
|
.It Dv TCPCTL_MSSDFLT
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va mssdflt
|
1995-02-15 03:30:54 +00:00
|
|
|
The default value used for the maximum segment size
|
|
|
|
.Pq Dq MSS
|
|
|
|
when no advice to the contrary is received from MSS negotiation.
|
2001-09-06 22:50:12 +00:00
|
|
|
.It Dv TCPCTL_SENDSPACE
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va sendspace
|
|
|
|
Maximum
|
|
|
|
.Tn TCP
|
|
|
|
send window.
|
2001-09-06 22:50:12 +00:00
|
|
|
.It Dv TCPCTL_RECVSPACE
|
2003-03-22 13:43:06 +00:00
|
|
|
.Pq Va recvspace
|
|
|
|
Maximum
|
|
|
|
.Tn TCP
|
|
|
|
receive window.
|
|
|
|
.It Va log_in_vain
|
1999-08-17 14:54:26 +00:00
|
|
|
Log any connection attempts to ports where there is not a socket
|
|
|
|
accepting connections.
|
2003-03-22 13:43:06 +00:00
|
|
|
The value of 1 limits the logging to
|
|
|
|
.Tn SYN
|
|
|
|
(connection establishment) packets only.
|
|
|
|
That of 2 results in any
|
|
|
|
.Tn TCP
|
|
|
|
packets to closed ports being logged.
|
2002-04-16 13:19:33 +00:00
|
|
|
Any value unlisted above disables the logging
|
|
|
|
(default is 0, i.e., the logging is disabled).
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va slowstart_flightsize
|
2001-05-17 17:53:21 +00:00
|
|
|
The number of packets allowed to be in-flight during the
|
|
|
|
.Tn TCP
|
|
|
|
slow-start phase on a non-local network.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va local_slowstart_flightsize
|
2001-07-14 19:41:16 +00:00
|
|
|
The number of packets allowed to be in-flight during the
|
2001-05-17 17:53:21 +00:00
|
|
|
.Tn TCP
|
|
|
|
slow-start phase to local machines in the same subnet.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va msl
|
2002-01-21 12:09:13 +00:00
|
|
|
The Maximum Segment Lifetime, in milliseconds, for a packet.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va keepinit
|
|
|
|
Timeout, in milliseconds, for new, non-established
|
|
|
|
.Tn TCP
|
|
|
|
connections.
|
|
|
|
.It Va keepidle
|
2002-01-19 03:44:42 +00:00
|
|
|
Amount of time, in milliseconds, that the connection must be idle
|
|
|
|
before keepalive probes (if enabled) are sent.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va keepintvl
|
2002-01-19 03:44:42 +00:00
|
|
|
The interval, in milliseconds, between keepalive probes sent to remote
|
|
|
|
machines.
|
2001-07-14 19:41:16 +00:00
|
|
|
After
|
2001-05-17 17:53:21 +00:00
|
|
|
.Dv TCPTV_KEEPCNT
|
|
|
|
(default 8) probes are sent, with no response, the connection is dropped.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va always_keepalive
|
2001-05-17 17:53:21 +00:00
|
|
|
Assume that
|
|
|
|
.Dv SO_KEEPALIVE
|
|
|
|
is set on all
|
|
|
|
.Tn TCP
|
|
|
|
connections, the kernel will
|
|
|
|
periodically send a packet to the remote host to verify the connection
|
|
|
|
is still up.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va icmp_may_rst
|
2001-05-17 17:53:21 +00:00
|
|
|
Certain
|
|
|
|
.Tn ICMP
|
|
|
|
unreachable messages may abort connections in
|
|
|
|
.Tn SYN-SENT
|
|
|
|
state.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va do_tcpdrain
|
2001-05-17 17:53:21 +00:00
|
|
|
Flush packets in the
|
|
|
|
.Tn TCP
|
|
|
|
reassembly queue if the system is low on mbufs.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va blackhole
|
1999-08-17 14:54:26 +00:00
|
|
|
If enabled, disable sending of RST when a connection is attempted
|
|
|
|
to a port where there is not a socket accepting connections.
|
|
|
|
See
|
|
|
|
.Xr blackhole 4 .
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va delayed_ack
|
1999-08-17 14:54:26 +00:00
|
|
|
Delay ACK to try and piggyback it onto a data packet.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va delacktime
|
2002-01-19 03:44:42 +00:00
|
|
|
Maximum amount of time, in milliseconds, before a delayed ACK is sent.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va newreno
|
|
|
|
Enable
|
|
|
|
.Tn TCP
|
|
|
|
NewReno Fast Recovery algorithm,
|
2000-06-02 13:12:36 +00:00
|
|
|
as described in RFC 2582.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va path_mtu_discovery
|
|
|
|
Enable Path MTU Discovery.
|
|
|
|
.It Va tcbhashsize
|
2001-05-17 17:53:21 +00:00
|
|
|
Size of the
|
|
|
|
.Tn TCP
|
2003-03-22 13:43:06 +00:00
|
|
|
control-block hash table
|
2001-05-17 17:53:21 +00:00
|
|
|
(read-only).
|
|
|
|
This may be tuned using the kernel option
|
|
|
|
.Dv TCBHASHSIZE
|
|
|
|
or by setting
|
|
|
|
.Va net.inet.tcp.tcbhashsize
|
|
|
|
in the
|
|
|
|
.Xr loader 8 .
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va pcbcount
|
2001-05-17 17:53:21 +00:00
|
|
|
Number of active process control blocks
|
|
|
|
(read-only).
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va syncookies
|
|
|
|
Determines whether or not
|
|
|
|
.Tn SYN
|
|
|
|
cookies should be generated for outbound
|
|
|
|
.Tn SYN-ACK
|
|
|
|
packets.
|
|
|
|
.Tn SYN
|
|
|
|
cookies are a great help during
|
|
|
|
.Tn SYN
|
|
|
|
flood attacks, and are enabled by default.
|
|
|
|
(See
|
|
|
|
.Xr syncookies 4 . )
|
|
|
|
.It Va isn_reseed_interval
|
2001-09-06 22:50:12 +00:00
|
|
|
The interval (in seconds) specifying how often the secret data used in
|
|
|
|
RFC 1948 initial sequence number calculations should be reseeded.
|
|
|
|
By default, this variable is set to zero, indicating that
|
|
|
|
no reseeding will occur.
|
|
|
|
Reseeding should not be necessary, and will break
|
|
|
|
.Dv TIME_WAIT
|
|
|
|
recycling for a few minutes.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va rexmit_min , rexmit_slop
|
|
|
|
Adjust the retransmit timer calculation for
|
|
|
|
.Tn TCP .
|
|
|
|
The slop is
|
2002-08-25 01:51:57 +00:00
|
|
|
typically added to the raw calculation to take into account
|
2003-03-22 13:43:06 +00:00
|
|
|
occasional variances that the
|
|
|
|
.Tn SRTT
|
|
|
|
(smoothed round-trip time)
|
2004-06-21 17:42:49 +00:00
|
|
|
is unable to accommodate, while the minimum specifies an
|
2003-03-22 13:43:06 +00:00
|
|
|
absolute minimum.
|
|
|
|
While a number of
|
|
|
|
.Tn TCP
|
|
|
|
RFCs suggest a 1
|
|
|
|
second minimum, these RFCs tend to focus on streaming behavior,
|
2002-08-25 01:51:57 +00:00
|
|
|
and fail to deal with the fact that a 1 second minimum has severe
|
|
|
|
detrimental effects over lossy interactive connections, such
|
|
|
|
as a 802.11b wireless link, and over very fast but lossy
|
|
|
|
connections for those cases not covered by the fast retransmit
|
2003-03-22 13:43:06 +00:00
|
|
|
code.
|
|
|
|
For this reason, we use 200ms of slop and a near-0
|
|
|
|
minimum, which gives us an effective minimum of 200ms (similar to
|
|
|
|
.Tn Linux ) .
|
2004-08-03 13:54:11 +00:00
|
|
|
.It Va inflight.enable
|
2002-08-17 20:44:24 +00:00
|
|
|
Enable
|
|
|
|
.Tn TCP
|
2003-03-22 13:43:06 +00:00
|
|
|
bandwidth-delay product limiting.
|
|
|
|
An attempt will be made to calculate
|
|
|
|
the bandwidth-delay product for each individual
|
|
|
|
.Tn TCP
|
|
|
|
connection, and limit
|
|
|
|
the amount of inflight data being transmitted, to avoid building up
|
|
|
|
unnecessary packets in the network.
|
|
|
|
This option is recommended if you
|
2002-08-17 20:44:24 +00:00
|
|
|
are serving a lot of data over connections with high bandwidth-delay
|
|
|
|
products, such as modems, GigE links, and fast long-haul WANs, and/or
|
2004-06-21 17:42:49 +00:00
|
|
|
you have configured your machine to accommodate large
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
|
|
|
windows.
|
|
|
|
In such
|
2002-08-17 20:44:24 +00:00
|
|
|
situations, without this option, you may experience high interactive
|
|
|
|
latencies or packet loss due to the overloading of intermediate routers
|
2003-03-22 13:43:06 +00:00
|
|
|
and switches.
|
|
|
|
Note that bandwidth-delay product limiting only effects
|
|
|
|
the transmit side of a
|
|
|
|
.Tn TCP
|
|
|
|
connection.
|
2004-08-03 13:54:11 +00:00
|
|
|
.It Va inflight.debug
|
2003-03-22 13:43:06 +00:00
|
|
|
Enable debugging for the bandwidth-delay product algorithm.
|
2004-08-03 13:54:11 +00:00
|
|
|
.It Va inflight.min
|
2003-03-22 13:43:06 +00:00
|
|
|
This puts a lower bound on the bandwidth-delay product window, in bytes.
|
|
|
|
A value of 1024 is typically used for debugging.
|
|
|
|
6000-16000 is more typical in a production installation.
|
|
|
|
Setting this value too low may result in
|
|
|
|
slow ramp-up times for bursty connections.
|
|
|
|
Setting this value too high effectively disables the algorithm.
|
2004-08-03 13:54:11 +00:00
|
|
|
.It Va inflight.max
|
2003-03-22 13:43:06 +00:00
|
|
|
This puts an upper bound on the bandwidth-delay product window, in bytes.
|
|
|
|
This value should not generally be modified, but may be used to set a
|
2002-08-17 20:44:24 +00:00
|
|
|
global per-connection limit on queued data, potentially allowing you to
|
2003-03-22 13:43:06 +00:00
|
|
|
intentionally set a less than optimum limit, to smooth data flow over a
|
|
|
|
network while still being able to specify huge internal
|
|
|
|
.Tn TCP
|
|
|
|
buffers.
|
2004-08-03 13:54:11 +00:00
|
|
|
.It Va inflight.stab
|
2003-03-22 13:43:06 +00:00
|
|
|
The bandwidth-delay product algorithm requires a slightly larger window
|
|
|
|
than it otherwise calculates for stability.
|
|
|
|
This parameter determines the extra window in maximal packets / 10.
|
|
|
|
The default value of 20 represents 2 maximal packets.
|
|
|
|
Reducing this value is not recommended, but you may
|
|
|
|
come across a situation with very slow links where the
|
|
|
|
.Xr ping 8
|
|
|
|
time
|
|
|
|
reduction of the default inflight code is not sufficient.
|
|
|
|
If this case occurs, you should first try reducing
|
2004-08-03 13:54:11 +00:00
|
|
|
.Va inflight.min
|
2002-12-23 14:50:31 +00:00
|
|
|
and, if that does not
|
|
|
|
work, reduce both
|
2004-08-03 13:54:11 +00:00
|
|
|
.Va inflight.min
|
2002-12-23 14:50:31 +00:00
|
|
|
and
|
2004-08-03 13:54:11 +00:00
|
|
|
.Va inflight.stab ,
|
2002-12-23 14:50:31 +00:00
|
|
|
trying values of
|
2003-03-22 13:43:06 +00:00
|
|
|
15, 10, or 5 for the latter.
|
|
|
|
Never use a value less than 5.
|
|
|
|
Reducing
|
2004-08-03 13:54:11 +00:00
|
|
|
.Va inflight.stab
|
2002-12-23 14:50:31 +00:00
|
|
|
can lead to upwards of a 20% underutilization of the link
|
2002-12-14 21:00:17 +00:00
|
|
|
as well as reducing the algorithm's ability to adapt to changing
|
|
|
|
situations and should only be done as a last resort.
|
2003-03-22 13:43:06 +00:00
|
|
|
.It Va rfc3042
|
|
|
|
Enable the Limited Transmit algorithm as described in RFC 3042.
|
2004-10-23 18:37:23 +00:00
|
|
|
It helps avoid timeouts on lossy links and also when the congestion window
|
2003-03-22 13:43:06 +00:00
|
|
|
is small, as happens on short transfers.
|
|
|
|
.It Va rfc3390
|
2003-03-13 01:44:58 +00:00
|
|
|
Enable support for RFC 3390, which allows for a variable-sized
|
|
|
|
starting congestion window on new connections, depending on the
|
2003-03-22 13:43:06 +00:00
|
|
|
maximum segment size.
|
|
|
|
This helps throughput in general, but
|
2003-03-13 01:44:58 +00:00
|
|
|
particularly affects short transfers and high-bandwidth large
|
2003-03-22 13:43:06 +00:00
|
|
|
propagation-delay connections.
|
2003-03-13 01:44:58 +00:00
|
|
|
.Pp
|
2003-03-22 13:43:06 +00:00
|
|
|
When this feature is enabled, the
|
|
|
|
.Va slowstart_flightsize
|
|
|
|
and
|
|
|
|
.Va local_slowstart_flightsize
|
|
|
|
settings are not observed for new
|
2003-03-13 01:44:58 +00:00
|
|
|
connection slow starts, but they are still used for slow starts
|
|
|
|
that occur when the connection has been idle and starts sending
|
|
|
|
again.
|
2004-07-10 17:55:13 +00:00
|
|
|
.It Va sack.enable
|
|
|
|
Enable support for RFC 2018, TCP Selective Acknowledgment option,
|
|
|
|
which allows the receiver to inform the sender about all successfully
|
|
|
|
arrived segments, allowing the sender to retransmit the missing segments
|
|
|
|
only.
|
2004-10-12 13:52:46 +00:00
|
|
|
.It Va sack.initburst
|
|
|
|
Control the number of SACK retransmissions done upon initiation of SACK
|
|
|
|
recovery.
|
1995-02-15 03:30:54 +00:00
|
|
|
.El
|
2001-04-13 19:49:07 +00:00
|
|
|
.Sh ERRORS
|
1994-05-30 19:09:18 +00:00
|
|
|
A socket operation may fail with one of the following errors returned:
|
2001-04-13 19:49:07 +00:00
|
|
|
.Bl -tag -width Er
|
1994-05-30 19:09:18 +00:00
|
|
|
.It Bq Er EISCONN
|
|
|
|
when trying to establish a connection on a socket which
|
|
|
|
already has one;
|
|
|
|
.It Bq Er ENOBUFS
|
|
|
|
when the system runs out of memory for
|
|
|
|
an internal data structure;
|
|
|
|
.It Bq Er ETIMEDOUT
|
|
|
|
when a connection was dropped
|
|
|
|
due to excessive retransmissions;
|
|
|
|
.It Bq Er ECONNRESET
|
|
|
|
when the remote peer
|
|
|
|
forces the connection to be closed;
|
|
|
|
.It Bq Er ECONNREFUSED
|
|
|
|
when the remote
|
|
|
|
peer actively refuses connection establishment (usually because
|
|
|
|
no process is listening to the port);
|
|
|
|
.It Bq Er EADDRINUSE
|
|
|
|
when an attempt
|
|
|
|
is made to create a socket with a port which has already been
|
|
|
|
allocated;
|
|
|
|
.It Bq Er EADDRNOTAVAIL
|
2001-07-14 19:41:16 +00:00
|
|
|
when an attempt is made to create a
|
1994-05-30 19:09:18 +00:00
|
|
|
socket with a network address for which no network interface
|
2003-03-22 13:43:06 +00:00
|
|
|
exists;
|
1994-12-15 20:54:28 +00:00
|
|
|
.It Bq Er EAFNOSUPPORT
|
|
|
|
when an attempt is made to bind or connect a socket to a multicast
|
|
|
|
address.
|
1994-05-30 19:09:18 +00:00
|
|
|
.El
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr getsockopt 2 ,
|
|
|
|
.Xr socket 2 ,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr sysctl 3 ,
|
2001-07-06 16:46:48 +00:00
|
|
|
.Xr blackhole 4 ,
|
1994-05-30 19:09:18 +00:00
|
|
|
.Xr inet 4 ,
|
1996-12-26 16:16:37 +00:00
|
|
|
.Xr intro 4 ,
|
1995-02-15 03:30:54 +00:00
|
|
|
.Xr ip 4 ,
|
2002-12-23 14:51:18 +00:00
|
|
|
.Xr syncache 4 ,
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.Xr setkey 8
|
1995-02-15 03:30:54 +00:00
|
|
|
.Rs
|
2003-03-22 13:43:06 +00:00
|
|
|
.%A "V. Jacobson"
|
|
|
|
.%A "R. Braden"
|
|
|
|
.%A "D. Borman"
|
1995-02-15 03:30:54 +00:00
|
|
|
.%T "TCP Extensions for High Performance"
|
2003-03-22 13:43:06 +00:00
|
|
|
.%O "RFC 1323"
|
1995-02-15 03:30:54 +00:00
|
|
|
.Re
|
|
|
|
.Rs
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
.%A "A. Heffernan"
|
|
|
|
.%T "Protection of BGP Sessions via the TCP MD5 Signature Option"
|
|
|
|
.%O "RFC 2385"
|
|
|
|
.Re
|
1994-05-30 19:09:18 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
2003-03-22 13:43:06 +00:00
|
|
|
.Tn TCP
|
1995-02-15 03:30:54 +00:00
|
|
|
protocol appeared in
|
1994-05-30 19:09:18 +00:00
|
|
|
.Bx 4.2 .
|
1995-02-15 03:30:54 +00:00
|
|
|
The RFC 1323 extensions for window scaling and timestamps were added
|
|
|
|
in
|
|
|
|
.Bx 4.4 .
|