From owner-cvs-all  Sun Dec 17 10: 3:36 2000
From owner-cvs-all@FreeBSD.ORG  Sun Dec 17 10:03:31 2000
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP
	id 96C3937B400; Sun, 17 Dec 2000 10:03:31 -0800 (PST)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id eBHI3Sh01153;
	Sun, 17 Dec 2000 10:03:28 -0800 (PST)
Date: Sun, 17 Dec 2000 10:03:28 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Jesper Skriver <jesper@skriver.dk>
Cc: "Louis A. Mamakos" <louie@TransSys.COM>,
	Kris Kennaway <kris@FreeBSD.org>,
	Poul-Henning Kamp <phk@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, security-officer@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID: <20001217100327.K19572@fw.wintelcom.net>
References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> <200012171529.eBHFT4512582@whizzo.transsys.com> <20001217182056.B34282@skriver.dk> <20001217183016.C34282@skriver.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001217183016.C34282@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 06:30:16PM +0100
Sender: bright@fw.wintelcom.net
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Jesper Skriver <jesper@skriver.dk> [001217 09:30] wrote:
> 
> A sniffer trace gives me the IP header + 8 bytes. The first 8 bytes of
> the TCP header is source and destination ports + sequence number.
> 
> Now, I need to find a way to decode these 8 bytes, and find the matching
> sessions, and only zap those.
> 
> I'll look more at this, but I probably won't have anything working until
> later this week, as I have a few things I need to get done first.
> 
> As the code is disabled by default, I don't think this is a major
> problem ?

I'm annoyed that I was side-stepped to get this code in.  My
objection  was because of the problems with spoofing this type of
ICMP.

Had you done the research and explained to me that:

> > > The Destination Unreachable ICMP message should include a copy of the
> > > IP header plus 20 bytes of payload (TCP segment header) which you
> > > could use to validate it.  I only glanced briefly at the patch, and don't
> > > know if that was being done or not.

it would have been fine as long as you implemented the check.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message