From owner-freebsd-net Mon Dec 18 14:13:47 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 14:13:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by hub.freebsd.org (Postfix) with ESMTP id 444DE37B400; Mon, 18 Dec 2000 14:13:44 -0800 (PST) Received: (from barney@localhost) by mx.databus.com (8.11.1/8.11.1) id eBIMCmR67880; Mon, 18 Dec 2000 17:12:48 -0500 (EST) (envelope-from barney) Date: Mon, 18 Dec 2000 17:12:48 -0500 From: Barney Wolff To: Jesper Skriver Cc: Mike Silbersack , Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218171248.A67546@mx.databus.com> References: <20001218182600.C1856@skriver.dk> <20001218202710.A16059@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20001218202710.A16059@skriver.dk>; from jesper@skriver.dk on Mon, Dec 18, 2000 at 08:27:10PM +0100 Sender: barney@mx.databus.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suggest that the ICMP unreachable affect connections only in SYN-SENT and only if the seq number matches, and that it not affect IPSEC'd connections at all. FYI, IPSEC does not run over GRE, but uses two protocol numbers of its own, 50 for ESP and 51 for AH. IKE uses UDP port 500, not TCP. Without the check on seq # & state as well as port/ip, it's too easy to DoS by blindly blasting unreachables to every source port. Barney Wolff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message