From owner-freebsd-net@FreeBSD.ORG  Tue Nov  8 19:02:33 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9E5A16A45B
	for <net@freebsd.org>; Tue,  8 Nov 2005 19:02:33 +0000 (GMT)
	(envelope-from lars.eggert@netlab.nec.de)
Received: from kyoto.netlab.nec.de (kyoto.netlab.nec.de [195.37.70.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E2BAD43D48
	for <net@freebsd.org>; Tue,  8 Nov 2005 19:02:32 +0000 (GMT)
	(envelope-from lars.eggert@netlab.nec.de)
Received: from lars.ietf64.ietf.org (pp107-126.bctel.ca [209.52.107.126])
	by kyoto.netlab.nec.de (Postfix) with ESMTP id 265991BAC4D;
	Tue,  8 Nov 2005 20:02:29 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by lars.ietf64.ietf.org (Postfix) with ESMTP id 8615B41233B;
	Tue,  8 Nov 2005 11:02:27 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v746.2)
Message-Id: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-11-698006575;
	protocol="application/pkcs7-signature"
To: net@freebsd.org
From: Lars Eggert <lars.eggert@netlab.nec.de>
Date: Tue, 8 Nov 2005 11:02:25 -0800
X-Mailer: Apple Mail (2.746.2)
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: TCP RST handling in 6.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2005 19:02:34 -0000


--Apple-Mail-11-698006575
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Hi,

I came across the following in the release notes of 6.0 recently:

"The RST handling of the FreeBSD TCP stack has been improved to make  
reset attacks as difficult as possible while maintaining  
compatibility with the widest range of TCP stacks. (...) Note that  
this behavior technically violates the RFC 793 specification; the  
conventional (but less secure) behavior can be restored by setting a  
new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"

This means that the default, unconfigured FreeBSD TCP implementation  
is no longer RFC-conformant, which has always been one of its  
advantages over competing systems. Although I agree that the  
modification can be useful in some specific setups, making it the  
default at this time appears hasty. The IETF's tcpm working group is  
evaluating mechanisms for RST processing, and one will likely move to  
standards track in the future.

Thus, I'd like to suggest that the default for  
net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod  
came disabled be default in the past, too.

Lars
--
Lars Eggert                                     NEC Network Laboratories


--Apple-Mail-11-698006575--