Re: [tcpm] Sequence number checking for incoming RST segments
Lars Eggert <lars.eggert@netlab.nec.de> Tue, 08 November 2005 02:38 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZJNL-0008Qz-DZ; Mon, 07 Nov 2005 21:38:19 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZJNJ-0008O7-9o for tcpm@megatron.ietf.org; Mon, 07 Nov 2005 21:38:17 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA03398 for <tcpm@ietf.org>; Mon, 7 Nov 2005 21:37:50 -0500 (EST)
Received: from kyoto.netlab.nec.de ([195.37.70.21]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EZJd0-000391-1Q for tcpm@ietf.org; Mon, 07 Nov 2005 21:54:32 -0500
Received: from lars.ietf64.ietf.org (pp107-126.bctel.ca [209.52.107.126]) by kyoto.netlab.nec.de (Postfix) with ESMTP id DB8E71BAC4D; Tue, 8 Nov 2005 03:38:04 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by lars.ietf64.ietf.org (Postfix) with ESMTP id 2D66540A24A; Mon, 7 Nov 2005 18:38:03 -0800 (PST)
In-Reply-To: <20051024164244.GE54696@pun.isi.edu>
References: <447BB19E14004A4388CB9A864D2BA7630DB0FB@hq-ex-6.brocade.com> <20051024164244.GE54696@pun.isi.edu>
Mime-Version: 1.0 (Apple Message framework v746.2)
Message-Id: <F40CB132-6BA4-4023-902D-C074DC4B5671@netlab.nec.de>
From: Lars Eggert <lars.eggert@netlab.nec.de>
Subject: Re: [tcpm] Sequence number checking for incoming RST segments
Date: Mon, 07 Nov 2005 18:38:00 -0800
To: Ted Faber <faber@ISI.EDU>
X-Mailer: Apple Mail (2.746.2)
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 2857c5c041d6c02d7181d602c22822c8
Cc: tcpm@ietf.org, Indraneel Ghosh <ighosh@Brocade.COM>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0691360704=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
On Oct 24, 2005, at 9:42, Ted Faber wrote: > I'd start here: http://www.ietf.org/internet-drafts/draft-ietf-tcpm- > tcpsecure-03.txt > > Then I'd check the tcpm archives for discussion on that topic. > there's > been a bit. Those are here: http://www1.ietf.org/mail-archive/web/ > tcpm/current/index.html FYI, the latest stable FreeBSD-6.0 also seems to implement (some variant of) tcpsecure: "The RST handling of the FreeBSD TCP stack has been improved to make reset attacks as difficult as possible while maintaining compatibility with the widest range of TCP stacks. The algorithm is as follows: For connections in the ESTABLISHED state, only resets with sequence numbers exactly matching last_ack_sent will cause a reset; all other segments will be silently dropped. For connections in all other states, a reset anywhere in the window will cause the connection to be reset. All other segments will be silently dropped. Note that this behavior technically violates the RFC 793 specification; the conventional (but less secure) behavior can be restored by setting a new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]" http://www.freebsd.org/releases/6.0R/relnotes-i386.html Lars -- Lars Eggert NEC Network Laboratories
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] Sequence number checking for incoming … Ted Faber
- [tcpm] Sequence number checking for incoming RST … Indraneel Ghosh
- Re: [tcpm] Sequence number checking for incoming … Lars Eggert