From owner-freebsd-stable Sat Jul 7 20:30:30 2001 Delivered-To: freebsd-stable@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id BBED737B405 for ; Sat, 7 Jul 2001 20:30:27 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 23558 invoked by uid 1000); 8 Jul 2001 03:30:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jul 2001 03:30:26 -0000 Date: Sat, 7 Jul 2001 22:30:26 -0500 (CDT) From: Mike Silbersack To: Subject: Headsup: Tcp ISN generation changes from 4.2 to 4.3 Message-ID: <20010707002821.A18599-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If you are running 4.3-release or later, please read the entirety of this message; you are probably affected. Shortly before 4.3-release was tagged, the tcp initial sequence number generation scheme was changed to fix a weakness which could allow an attacker to reset connections. At that time, it was known that the fix would also break TIME_WAIT handling. The impact of this breakage was expected to be small. Unfortunately, recent reports on -net seem to indicate that the breakage is widespread. Consequently, I have just committed patches to -current and -stable which allow you to select the tcp initial sequence number generation scheme used by your system. If you don't wish to cvsup just for this patch, you may instead obtain it from http://www.silby.com/patches/multiple_isn_schemes.patch and manually apply the patch yourself. Once a patched / updated kernel is installed, you can change generation schemes with the sysctl net.inet.tcp.tcp_seq_genscheme. 0 = the older random positive increments, 1 = the newer randomized scheme. The newer scheme causes problems in cases where a FreeBSD is making many outgoing connections per second to the same host. For example, you may have a box which connects to a backend SQL server. If you have such a setup, you are probably seeing many rejected connections each second / other oddities in connection setup. If this is the case, you should update and toggle the system back to random positive increments. The newer scheme causes no problems in accepting incoming connections. As a result, you will probably see no problems if your servers mainly handle incoming requests and do not make many outgoing requests of their own. This sysctl will only be temporary. Once a secure _and_ compatible initial sequence number generation scheme is implemented, it will become the default. This will be at least a few weeks away, however. If you are seeing the problems described above, you should cvsup (or patch) and flip the sysctl now, rather than wait. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message