From owner-freebsd-security Mon Jun 2 20:27:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA00584 for security-outgoing; Mon, 2 Jun 1997 20:27:45 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA00578 for ; Mon, 2 Jun 1997 20:27:40 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id XAA20211; Mon, 2 Jun 1997 23:24:15 -0400 (EDT) From: Adam Shostack Message-Id: <199706030324.XAA20211@homeport.org> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706022324.TAA25329@khavrinen.lcs.mit.edu> from Garrett Wollman at "Jun 2, 97 07:24:55 pm" To: wollman@khavrinen.lcs.mit.edu (Garrett Wollman) Date: Mon, 2 Jun 1997 23:24:15 -0400 (EDT) Cc: darrenr@cyber.com.au, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman wrote: | < said: | | > Currently, not even the SEQ number is verified (for an RST packet) - i.e. | > that the ACK does acknowledge the SYN. | | > I think there is room for improvement in the code. Comments ? | | Certainly. It might also be worth implementing the three-way RST | handshake which has been proposed by some to fill some theoretical | gaps in TCP's handling of resets which could (very rarely) result in | innocent connections getting reset. I'd strongly recommend against implementing a non standard TCP mod as anything but an option for those who want to play with it. Please don't put it in the base code. -- "It is seldom that liberty of any kind is lost all at once." -Hume