Date: Fri, 23 Apr 2004 18:57:20 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: jayanth <jayanth@yahoo-inc.com> Cc: kernel@yahoo-inc.com Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd) Message-ID: <20040423185501.S5540@odysseus.silby.com> In-Reply-To: <20040423231936.GC21555@yahoo-inc.com> References: <200404231041.i3NAfR7E051507@gw.catspoiler.org> <20040423231936.GC21555@yahoo-inc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Apr 2004, jayanth wrote: > > I think Darren's suggestion would be a reasonable compromise; use the > > strict check in the ESTABLISHED state, and the permissive check otherwise. > > Established connections are what would be attacked, so we need the > > security there, but the closing states are where oddities seem to pop up, > > so we can use the permissive check there. > > > > If this is acceptable, I'd like to get it committed this weekend so that > > we can still get it into 4.10. > > > > sure, that sounds reasonable. The sysctl should be good for yahoo. > > thanks, > jayanth There wouldn't be a sysctl, as you wouldn't need one, if I understand things correctly. Since the "bad" RST is in response to the FreeBSD box sending a FIN, the FreeBSD box would have already transitioned to FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to the check we're using at present. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423185501.S5540>