Date: Sat, 7 Jul 2001 22:30:26 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: <freebsd-stable@freebsd.org> Subject: Headsup: Tcp ISN generation changes from 4.2 to 4.3 Message-ID: <20010707002821.A18599-100000@achilles.silby.com>
next in thread | raw e-mail | index | archive | help
If you are running 4.3-release or later, please read the entirety of this message; you are probably affected. Shortly before 4.3-release was tagged, the tcp initial sequence number generation scheme was changed to fix a weakness which could allow an attacker to reset connections. At that time, it was known that the fix would also break TIME_WAIT handling. The impact of this breakage was expected to be small. Unfortunately, recent reports on -net seem to indicate that the breakage is widespread. Consequently, I have just committed patches to -current and -stable which allow you to select the tcp initial sequence number generation scheme used by your system. If you don't wish to cvsup just for this patch, you may instead obtain it from http://www.silby.com/patches/multiple_isn_schemes.patch and manually apply the patch yourself. Once a patched / updated kernel is installed, you can change generation schemes with the sysctl net.inet.tcp.tcp_seq_genscheme. 0 = the older random positive increments, 1 = the newer randomized scheme. The newer scheme causes problems in cases where a FreeBSD is making many outgoing connections per second to the same host. For example, you may have a box which connects to a backend SQL server. If you have such a setup, you are probably seeing many rejected connections each second / other oddities in connection setup. If this is the case, you should update and toggle the system back to random positive increments. The newer scheme causes no problems in accepting incoming connections. As a result, you will probably see no problems if your servers mainly handle incoming requests and do not make many outgoing requests of their own. This sysctl will only be temporary. Once a secure _and_ compatible initial sequence number generation scheme is implemented, it will become the default. This will be at least a few weeks away, however. If you are seeing the problems described above, you should cvsup (or patch) and flip the sysctl now, rather than wait. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010707002821.A18599-100000>