From owner-freebsd-net  Mon Jul 16 17:17:58 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 683E737B407
	for <net@freebsd.org>; Mon, 16 Jul 2001 17:17:54 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 74472 invoked by uid 1000); 17 Jul 2001 00:17:51 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Jul 2001 00:17:51 -0000
Date: Mon, 16 Jul 2001 19:17:51 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Niels Provos <provos@citi.umich.edu>
Cc: Kris Kennaway <kris@obsecurity.org>,
	Jonathan Lemon <jlemon@flugsvamp.com>, <gjohnson@srrc.ars.usda.gov>,
	<net@freebsd.org>
Subject: Re: TCP ISN algorithm breaks TIME_WAIT (Re: select fails to return
 incoming connect on FreeBSD-4.3) 
In-Reply-To: <20010716185135.B314F207C1@citi.umich.edu>
Message-ID: <20010716191121.B74348-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Mon, 16 Jul 2001, Niels Provos wrote:

> In message <20010715131148.A10745@xor.obsecurity.org>, Kris Kennaway writes:
> >Sorry I've been ignoring this; I'm still getting caught up from my
> >vacation.  Niels, how has OpenBSD handled this?
> Not.  We have the same problem.  I argue that the test is bogus.
>
> First of all, if we are getting a SYN for this 4-tuple, it is very
> likely that all segments from the old connection have left the
> network.
>
> The current code does not deal with wrap around either.

The test may be bogus, but it must be respected.  Every old BSD based
system out there has it, and we can't update every system because we no
longer like it.

We should still be fine sending out randomized ISNs in SYNACKs; it appears
to be SYNs sent out by us which must be monotonic.

> On the other hand, there are already a number of operating systems
> that use randomized ISNs.  Linux has been doing this for quite some
> time.  As a result, we can not rely on monotonely increasing ISNs
> anyway.

I just looked at a copy of 2.4.1, and it appears to use a RFC1948-like
algorithm. I think 2.0 was randomized, but more recent versions have not
been.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message