From owner-freebsd-security Tue Jun 3 06:04:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA27265 for security-outgoing; Tue, 3 Jun 1997 06:04:16 -0700 (PDT) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA27260 for ; Tue, 3 Jun 1997 06:04:14 -0700 (PDT) Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by agora.rdrop.com (8.8.5/8.8.5) with ESMTP id GAA25527 for ; Tue, 3 Jun 1997 06:03:46 -0700 (PDT) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.8.5/8.8.5) id PAA09997; Tue, 3 Jun 1997 15:01:18 +0200 (SAT) From: John Hay Message-Id: <199706031301.PAA09997@zibbi.mikom.csir.co.za> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706031204.IAA21853@homeport.org> from Adam Shostack at "Jun 3, 97 08:04:54 am" To: adam@homeport.org (Adam Shostack) Date: Tue, 3 Jun 1997 15:01:18 +0200 (SAT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Thats a bug in trumpet, which should be fixed there. Is there an RFC > which details this mod you're suggesting? I'd hate to see my OpenBSD > boxes react even more negatively to freebsd. Arbitrary extra rst > packets arriving worry me. I agree that it is a bug in trumpet, but I still don't think another machine should be able to just kill my connections like it is now. > > (Right now, they refuse to talk NFS to a freebsd server with virtual > interfaces, since the kernel doesn't send packets back with the right > IP address. OpenBSD assumes that a spoof is taking place.) > > Adam > > PS To Darren: This is the change I was refering to, not fixing the > bug you were pointing out. > > John Hay wrote: > > | > | Certainly. It might also be worth implementing the three-way RST > | > | handshake which has been proposed by some to fill some theoretical > | > | gaps in TCP's handling of resets which could (very rarely) result in > | > | innocent connections getting reset. > | > > | > I'd strongly recommend against implementing a non standard > | > TCP mod as anything but an option for those who want to play with it. > | > Please don't put it in the base code. > | > > | > | But if we can get something better than we have now, I would feel a lot > | better. Last week we had the case here where tcp connections between > | machines would just die at random with a "connection reset by peer" > | message. It turned out that there was an old Windows 3.1 box with > | Trumpet Winsock v1.0b which send Reset messages "at random" for connections > | that had nothing to do with it, execept that it was on the same piece > | of ethernet coax. > | John -- John Hay -- John.Hay@mikom.csir.co.za