From owner-cvs-all  Sun Dec 17 16:23:59 2000
From owner-cvs-all@FreeBSD.ORG  Sun Dec 17 16:23:56 2000
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from shell.webmaster.com (unknown [216.152.64.152])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5645637B402; Sun, 17 Dec 2000 16:23:56 -0800 (PST)
Received: from whenever ([216.152.68.2]) by shell.webmaster.com
          (Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35)
          with SMTP id com; Sun, 17 Dec 2000 16:23:43 -0800
From: "David Schwartz" <davids@webmaster.com>
To: "Poul-Henning Kamp" <phk@critter.freebsd.dk>,
	"Kris Kennaway" <kris@FreeBSD.org>
Cc: <cvs-all@FreeBSD.org>, <security-officer@FreeBSD.org>
Subject: RE: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h 
Date: Sun, 17 Dec 2000 16:23:46 -0800
Message-ID: <NCBBLIEPOCNJOAEKBEAKCEFFMIAA.davids@webmaster.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
In-Reply-To: <17340.977045052@critter>
Importance: Normal
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


> Since we only react to this in "SYN-SENT" I think the window of
> opportunity is rather small in the first place...

	That assumes you don't know exactly when and where a machine is going to
make a particular connection attempt. But there are security-critical tests
wherein the attacker would know this exact information.

	Consider, for example, an ident check. When I connect to you, I know you
are immediately going to make an outbound connection to a particular IP and
port. Similar arguments could be made about NIS. The same goes for proxy
checking. Consider a chat server immediately after a split. I'm sure others
could think of more (and more serious) examples.

	My understanding was that modern operating systems do not follow the RFC in
this respect. They simply store the information and use it to (possibly)
modify the error code they return when/if the connection attempt fails.

	DS



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message