Date: Wed, 21 Apr 2004 06:07:04 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Mike Silbersack <silby@silby.com> Cc: avalon@caligula.anu.edu.au Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) Message-ID: <20040421110704.GA19640@lum.celabo.org> In-Reply-To: <20040421014736.H1228@odysseus.silby.com> References: <200404210346.i3L3ki7E045504@gw.catspoiler.org> <20040421014736.H1228@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 21, 2004 at 01:50:28AM -0500, Mike Silbersack wrote: > > On Tue, 20 Apr 2004, Don Lewis wrote: > > > I am concerned that step C will not solve the compatibility problem. The > > FreeBSD host is sending a FIN to close an established connection, and > > the peer host adding the window size advertised in the FIN packet to the > > sequence number acknowledged in the FIN packet, and using the sum as the > > sequence number for the RST packet, which puts the sequence number at > > the end of the receive window. > > Would it be feasible for us to create a four to five element array to > track "resettable" sequence numbers? This could hold the sequence numbers > of the last few packets transmitted, and account for that edge case as > well. I'm very uneasy with the IETF step C - sending more packets out > into the network sounds like a new type of amplification attack. I'm also somewhat skeptical. Considering the attack that this is supposed to mitigate, it would probably be a good idea to implement this as a compile time option defaulting OFF at first. Those really worried about an attack (running BGP?) can utilize it, as well as those testing interoperability for awhile. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040421110704.GA19640>