I was reading RFC4987 describing SYN cookies and seems Maximum Segment Size (MSS) is encoded in the SYN cookie and I am not sure why that is the case? Can someone explain why we need the MSS in the SYN cookie?
Asked
Active
Viewed 826 times
2
-
The original SYN packet contains the MSS and the server needs to know the MSS to control the TCP connection properly. Normally you'd save the MSS in memory on the server, but the whole point of SYN cookies is to avoid using DoS on server memory. – paj28 Nov 07 '16 at 17:18
-
So is it a security measure or just a way to quickly recover MSS from a SYN cookie? – Human Nov 07 '16 at 18:25
-
SYN cookies are a security measure. They need to include the MSS to work correctly. If you have further questions, [this](https://cr.yp.to/syncookies.html) should answer them. – paj28 Nov 07 '16 at 20:50
1 Answers
2
This has something to do with MTU and Path MTU Discovery (PMTUD).
Let's assume your MTU is 1400 and MTU of your server is 1500. When you try to download the file, without MSS or PMTUD, server would try to send you file in around 1500 byte packets which would be dropped since your MTU is only 1400.
With Path MTU Discovery, server can discover what is the MTU size, the thing is, it relies on ICMP. So when packet is dropped, the ICMP message is sent back. However, if ICMP is blocked, server must rely on MSS value included in SYN packet. So if your lower your MTU, your MSS value in SYN packets will be lowered as well so the servers will now know how to size the packets.
Your router can also be altering MSS field in SYN packets to adjust to MTU of your broadband line like ADSL. It's iptables feature "SYN TCPMSS clamp to PMTU". This is because if your broadband line MTU is lower than your WIFI MTU (which is normally 1500), router may need to clap it for you so the packets coming back from the internet servers are sized for your Broadband and not WIFI.
Aria
- 2,706
- 11
- 19