From owner-freebsd-current  Sun Sep  6 00:57:05 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA18400
          for freebsd-current-outgoing; Sun, 6 Sep 1998 00:57:05 -0700 (PDT)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA18393
          for <freebsd-current@FreeBSD.ORG>; Sun, 6 Sep 1998 00:57:02 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 6917 invoked by uid 1001); 6 Sep 1998 07:57:00 +0000 (GMT)
To: tlambert@primenet.com
Cc: dg@root.com, tom@uniserve.com, freebsd-current@FreeBSD.ORG
Subject: Re: Should FreeBSD-3.0 ship with RFC 1644 (T/TCP) turned off by
In-Reply-To: Your message of "Sun, 6 Sep 1998 06:56:22 +0000 (GMT)"
References: <199809060656.XAA13597@usr01.primenet.com>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Sun, 06 Sep 1998 09:57:00 +0200
Message-ID: <6915.905068620@verdi.nethelp.no>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> That said, one of the reasons for leaving the extensions on by default
> is to ensure that people complain about RFC non-compliance.
> 
> I, for one, wuld e unhappy if FreeBSD disabled these by default, even
> though it's perfectly reasonable for my employer to disable them on
> their derived work.

However, there's a world of difference between RFC 1323 and RFC 1644.

1. As Charles Hannum has poited out, there are security risks associated
with RFC 1644.

2. RFC 1323 has the status of "Proposed Standard Protocol", which means
(see RFC 2300):

   4.1.3.  Proposed Standard Protocol
                     
      These are protocol proposals that may be considered by the IESG
      for standardization in the future.  Implementation and testing by
      several groups is desirable.  Revision of the protocol
      specification is likely. 

RFC 1644 has the status "Experimental Protocol", which means:

   4.1.4.  Experimental Protocol 
       
      A system should not implement an experimental protocol unless it
      is participating in the experiment and has coordinated its use of
      the protocol with the developer of the protocol.


Note the "should not". The fact that RFC 1644 is still classified as an
experimental protocol, together with the security risks noted, are (in
my opinion) excellent reasons why RFC 1644 absolutely *should not* be
on by default in FreeBSD.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message