On 12/16/2018 12:19 PM, David Miller wrote:
> From: Christoph Paasch <cpaa...@apple.com>
> Date: Fri, 14 Dec 2018 14:40:02 -0800
>
>> Currently, TFO only allows a single TFO-secret. This means that whenever
>> the secret gets changed for key-rotation purposes, all the previously
>> issued TFO-cookies become invalid. This means that clients will fallback
>> to "regular" TCP, incurring a cost of one additional round-trip.
>>
>> This patchset introduces a TFO key-pool that allows to more gracefully
>> change the key. The size of the pool is 2 (this could be changed in the
>> future through a sysctl if needed). When a client connects with an "old"
>> TFO cookie, the server will now accept the data in the SYN and at the
>> same time announce a new TFO-cookie to the client.
>>
>> We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
>> thanks to these patches. Invalid cookies are now solely observed when
>> clients behind a NAT are getting a new public IP.
>
> Yuchung and Eric, please review.
>
Thanks David, I will do now.
