Date: Wed, 27 Jun 2001 18:28:32 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Glenn Johnson <gjohnson@srrc.ars.usda.gov> Cc: Jonathan Lemon <jlemon@flugsvamp.com>, <net@freebsd.org>, <kris@freebsd.org> Subject: Re: select fails to return incoming connect on FreeBSD-4.3 Message-ID: <20010627182247.B87959-100000@achilles.silby.com> In-Reply-To: <20010627172342.A10739@node7.cluster.srrc.usda.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 Jun 2001, Glenn Johnson wrote: > On Wed, Jun 27, 2001 at 03:00:31PM -0500, Mike Silbersack wrote: > > > It's a feature, not a bug. :) > > > > Since everyone's on vacation and we can't switch generation schemes > > right now, I've e-mailed kris and asked if he objects to me adding a > > sysctl which switches between the current and old generation schemes. > > If he says it's ok, I'll commit it soon and those affected will be > > able to use the old generation scheme. > > That would be great. What would be the negatives to using the old > generation scheme? > > Thanks. > > -- > Glenn Johnson The old scheme is possibly vulnerable to spoofing attacks, and has been proven to be vulnerable to connection resetting attacks. See Tim Newsham's paper on this at guardent.com (I'm not sure of the exact url.) It's unlikely that you'd see people abusing those weaknesses, but the default has changed to make sure it can't happen. A scheme which provides proper operation of TIME_WAIT and a high level of attack resistance will be in place by the time 4.4 comes out; which scheme that is is still up for debate. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010627182247.B87959-100000>