Date: Mon, 18 Dec 2000 17:12:48 -0500 From: Barney Wolff <barney@databus.com> To: Jesper Skriver <jesper@skriver.dk> Cc: Mike Silbersack <silby@silby.com>, Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@critter.freebsd.dk>, security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218171248.A67546@mx.databus.com> In-Reply-To: <20001218202710.A16059@skriver.dk>; from jesper@skriver.dk on Mon, Dec 18, 2000 at 08:27:10PM %2B0100 References: <20001218182600.C1856@skriver.dk> <Pine.BSF.4.21.0012181310290.63148-100000@achilles.silby.com> <20001218202710.A16059@skriver.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
I suggest that the ICMP unreachable affect connections only in SYN-SENT and only if the seq number matches, and that it not affect IPSEC'd connections at all. FYI, IPSEC does not run over GRE, but uses two protocol numbers of its own, 50 for ESP and 51 for AH. IKE uses UDP port 500, not TCP. Without the check on seq # & state as well as port/ip, it's too easy to DoS by blindly blasting unreachables to every source port. Barney Wolff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218171248.A67546>