Date: Fri, 23 Apr 2004 18:57:20 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: jayanth <jayanth@yahoo-inc.com> Cc: kernel@yahoo-inc.com Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) Message-ID: <20040423185501.S5540@odysseus.silby.com> In-Reply-To: <20040423231936.GC21555@yahoo-inc.com> References: <200404231041.i3NAfR7E051507@gw.catspoiler.org> <20040423231936.GC21555@yahoo-inc.com>
index | next in thread | previous in thread | raw e-mail
On Fri, 23 Apr 2004, jayanth wrote: > > I think Darren's suggestion would be a reasonable compromise; use the > > strict check in the ESTABLISHED state, and the permissive check otherwise. > > Established connections are what would be attacked, so we need the > > security there, but the closing states are where oddities seem to pop up, > > so we can use the permissive check there. > > > > If this is acceptable, I'd like to get it committed this weekend so that > > we can still get it into 4.10. > > > > sure, that sounds reasonable. The sysctl should be good for yahoo. > > thanks, > jayanth There wouldn't be a sysctl, as you wouldn't need one, if I understand things correctly. Since the "bad" RST is in response to the FreeBSD box sending a FIN, the FreeBSD box would have already transitioned to FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to the check we're using at present. Mike "Silby" Silbersackhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423185501.S5540>