From owner-freebsd-security@FreeBSD.ORG Mon Apr 26 01:28:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFE2F16A4CE for ; Mon, 26 Apr 2004 01:28:43 -0700 (PDT) Received: from ux1.ibb.net (ux1.ibb.net [64.215.98.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0840A43D53 for ; Mon, 26 Apr 2004 01:28:43 -0700 (PDT) (envelope-from mipam@ibb.net) Received: from localhost (mipam@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with ESMTP id JAA13143; Mon, 26 Apr 2004 09:18:05 +0200 X-Authentication-Warning: ux1.ibb.net: mipam owned process doing -bs Date: Mon, 26 Apr 2004 09:18:05 +0200 (MET DST) From: Mipam To: Peter Pentchev In-Reply-To: <20040423144422.GD961@straylight.m.ringlet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: use keep state(strict) to mitigate tcp issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 08:28:44 -0000 On Fri, 23 Apr 2004, Peter Pentchev wrote: > On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote: > > Hi, > > > > When deploying a BSD with IPF in at the network perimeter > > and using rules like these: > > > > pass in .. proto tcp ... keep state(strict) > > > > it's possible to refuse tcp packets which arrive out of order. > > This would increase the difficulty doing blind attack resets and blind > > data injection attack, cause then you'd have to "guess" the exact expected > > number. Checpoint has a similar feature (is that right?) which is > > described here as the answer to the mentioned attacks: > > > > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html > > > > Allthough this is nice, there is also the risk of breaking > > connection because it's not unlikely that packets arrive out of order. > > At least, that's what i think, any thoughts upon this? > > IMHO, in the world of multihomed ISP's, BGP and multipath routing, no, > it is definitely *not* unlikely that packets should arrive out of order. I have no statistics and didnt check it out more closely, but in practise, let's say just daily life, in how many connecties would packets be arriving out of order? Of course, if strict is being used, and out of order packets would be denied, tcp on the other site would resent all the packets within the window size (or any packets or packet stream upon which no ack has been received), but if they would be arriving out of order again, or at least one of them, no progress has been made. Don't take me wrong here, i think keep state(strict) is a cool feature, but i just wonder in how many cases in bussy networks it would cause a certain amount of traffic lose (eventhough tcp should be able to remedy this and send the same packets several times, but it has no control about fast changing path's to it's destination) and how large would that certain amount be? Maybe i'm a little bit to paranoia in thinking to many connecties are dealing with out of order arriving packets? Bye, Mipam.