From owner-freebsd-net  Wed Jun 27 16:28:37 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id D298637B405
	for <net@freebsd.org>; Wed, 27 Jun 2001 16:28:33 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 87971 invoked by uid 1000); 27 Jun 2001 23:28:32 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 27 Jun 2001 23:28:32 -0000
Date: Wed, 27 Jun 2001 18:28:32 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Glenn Johnson <gjohnson@srrc.ars.usda.gov>
Cc: Jonathan Lemon <jlemon@flugsvamp.com>, <net@freebsd.org>,
	<kris@freebsd.org>
Subject: Re: select fails to return incoming connect on FreeBSD-4.3
In-Reply-To: <20010627172342.A10739@node7.cluster.srrc.usda.gov>
Message-ID: <20010627182247.B87959-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Wed, 27 Jun 2001, Glenn Johnson wrote:

> On Wed, Jun 27, 2001 at 03:00:31PM -0500, Mike Silbersack wrote:
>
> > It's a feature, not a bug. :)
> >
> > Since everyone's on vacation and we can't switch generation schemes
> > right now, I've e-mailed kris and asked if he objects to me adding a
> > sysctl which switches between the current and old generation schemes.
> > If he says it's ok, I'll commit it soon and those affected will be
> > able to use the old generation scheme.
>
> That would be great.  What would be the negatives to using the old
> generation scheme?
>
> Thanks.
>
> --
> Glenn Johnson

The old scheme is possibly vulnerable to spoofing attacks, and has been
proven to be vulnerable to connection resetting attacks.  See Tim
Newsham's paper on this at guardent.com (I'm not sure of the exact url.)

It's unlikely that you'd see people abusing those weaknesses, but the
default has changed to make sure it can't happen.

A scheme which provides proper operation of TIME_WAIT and a high level of
attack resistance will be in place by the time 4.4 comes out; which scheme
that is is still up for debate. :)

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message