Date: Sun, 8 Jul 2001 03:31:59 -0500 From: John Cappiello <john@apt202.net> To: freebsd-stable@freebsd.org Subject: Re: Headsup: Tcp ISN generation changes from 4.2 to 4.3 Message-ID: <20010708033159.A19667@localhost> In-Reply-To: <20010707002821.A18599-100000@achilles.silby.com>; from silby@silby.com on Sat, Jul 07, 2001 at 10:30:26PM -0500 References: <20010707002821.A18599-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 07, 2001 at 10:30:26PM -0500, Mike Silbersack wrote: >=20 > If you are running 4.3-release or later, please read the entirety of this > message; you are probably affected. >=20 > Shortly before 4.3-release was tagged, the tcp initial sequence number > generation scheme was changed to fix a weakness which could allow an > attacker to reset connections. At that time, it was known that the fix > would also break TIME_WAIT handling. The impact of this breakage was > expected to be small. Unfortunately, recent reports on -net seem to > indicate that the breakage is widespread. >=20 > Consequently, I have just committed patches to -current and -stable which > allow you to select the tcp initial sequence number generation scheme used > by your system. If you don't wish to cvsup just for this patch, you may > instead obtain it from http://www.silby.com/patches/multiple_isn_schemes.= patch > and manually apply the patch yourself. >=20 > Once a patched / updated kernel is installed, you can change generation > schemes with the sysctl net.inet.tcp.tcp_seq_genscheme. 0 =3D the older > random positive increments, 1 =3D the newer randomized scheme. >=20 > The newer scheme causes problems in cases where a FreeBSD is making many > outgoing connections per second to the same host. For example, you may > have a box which connects to a backend SQL server. If you have such a > setup, you are probably seeing many rejected connections each second / > other oddities in connection setup. If this is the case, you should > update and toggle the system back to random positive increments. >=20 > The newer scheme causes no problems in accepting incoming connections. As > a result, you will probably see no problems if your servers mainly handle > incoming requests and do not make many outgoing requests of their own. >=20 > This sysctl will only be temporary. Once a secure _and_ compatible > initial sequence number generation scheme is implemented, it will become > the default. This will be at least a few weeks away, however. If you are > seeing the problems described above, you should cvsup (or patch) and flip > the sysctl now, rather than wait. I'm sorry, but I just want to make sure I have this right. I checked my lo= gs but did not see any report of this problem. Is there anywhere specific = I should be looking for this error? I just don't want to assume I'm not af= fected by this, and be wrong. >=20 > Mike "Silby" Silbersack >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message >=20 >=20 >=20 Thanks, John --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7SBp/7tlm0/lPd78RAiw+AJwMZtAPcZADWYiIJrOU6NcZ61EB1QCbBr2X o0AkchY0BLMA5O9lp5mZQ/g= =vqed -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010708033159.A19667>