Re: Summary of responses so far and proposal moving forward[WasRe: [tcpm] Is this a problem?]

Joe Touch <touch@ISI.EDU> Wed, 28 November 2007 13:22 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IxMrZ-0007HM-AV; Wed, 28 Nov 2007 08:22:01 -0500
Received: from tcpm by with local (Exim 4.43) id 1IxMrY-0007H7-0q for; Wed, 28 Nov 2007 08:22:00 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1IxMrW-0007Gs-SE for; Wed, 28 Nov 2007 08:21:58 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1IxMrW-0004Xc-CH for; Wed, 28 Nov 2007 08:21:58 -0500
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id lASDLKoZ011228; Wed, 28 Nov 2007 05:21:22 -0800 (PST)
Message-ID: <>
Date: Wed, 28 Nov 2007 05:21:00 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20071031)
MIME-Version: 1.0
To: Mahesh Jethanandani <>
Subject: Re: Summary of responses so far and proposal moving forward[WasRe: [tcpm] Is this a problem?]
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.5
X-ISI-4-43-8-MailScanner: Found to be clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc:, David Borman <>, Mark Allman <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============1544669682=="

Mahesh Jethanandani wrote:
> What I should have said is that the fact that the above statement in RFC
> 1122 that "TCP MUST allow the connection to stay open" in response to
> probes has caused a lot of confusion. We have opinions all the way from
> it is ok for TCP to terminate the connection "in times of trouble" to it
> is not for TCP to terminate any connection. We have had mails that have
> said that it is ok for application/OS/socket layer to terminate the
> connection but it is not ok for TCP to terminate the connection. Does it
> mean that if socket interface makes a call to tcp_abort() to abort a
> connection, that it is not TCP that is aborting the connection, but it
> is socket interface that is, and therefore it is fine?
> Would it not help to clarify the statement in the rfc?

It would be useful to clarify that in the Unix man pages for
tcp_abort(), if there is in fact any real confusion in the Unix
community on this issue.

As Dave noted, RFC1122 is clear on the context of not aborting
connections within TCP due to zero windows with active probes.

The rest of this discussion has been addressing a moving target based on
falsified claims of a vulnerability, which, as others have noted, is not
more advantageous than many others in TCP, e.g., slowly draining
buffers. It makes no sense to single out "victims" of this "attack" by
"cleaning up" TCP state to save resources vs. any other mechanism to
limit resource overuse (e.g., prohibiting new connections, deleting
those with the largest socket buffers, etc.).

The key issue is that a zero receive window with active probes is a
valid, active TCP connection - as valid as any other in its use of
resources. If we need a document to describe what to do in the event of
resource overuse (and I don't think we do), the current document - and
motivating threat - are notable only in how NOT to single out
connections for resource recovery.


tcpm mailing list