Date: Mon, 16 Jul 2001 19:17:51 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Niels Provos <provos@citi.umich.edu> Cc: Kris Kennaway <kris@obsecurity.org>, Jonathan Lemon <jlemon@flugsvamp.com>, <gjohnson@srrc.ars.usda.gov>, <net@freebsd.org> Subject: Re: TCP ISN algorithm breaks TIME_WAIT (Re: select fails to return incoming connect on FreeBSD-4.3) Message-ID: <20010716191121.B74348-100000@achilles.silby.com> In-Reply-To: <20010716185135.B314F207C1@citi.umich.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 16 Jul 2001, Niels Provos wrote: > In message <20010715131148.A10745@xor.obsecurity.org>, Kris Kennaway writes: > >Sorry I've been ignoring this; I'm still getting caught up from my > >vacation. Niels, how has OpenBSD handled this? > Not. We have the same problem. I argue that the test is bogus. > > First of all, if we are getting a SYN for this 4-tuple, it is very > likely that all segments from the old connection have left the > network. > > The current code does not deal with wrap around either. The test may be bogus, but it must be respected. Every old BSD based system out there has it, and we can't update every system because we no longer like it. We should still be fine sending out randomized ISNs in SYNACKs; it appears to be SYNs sent out by us which must be monotonic. > On the other hand, there are already a number of operating systems > that use randomized ISNs. Linux has been doing this for quite some > time. As a result, we can not rely on monotonely increasing ISNs > anyway. I just looked at a copy of 2.4.1, and it appears to use a RFC1948-like algorithm. I think 2.0 was randomized, but more recent versions have not been. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010716191121.B74348-100000>