TCP RST handling in 6.0
Lars Eggert
lars.eggert at netlab.nec.de
Tue Nov 8 11:02:34 PST 2005
Hi,
I came across the following in the release notes of 6.0 recently:
"The RST handling of the FreeBSD TCP stack has been improved to make
reset attacks as difficult as possible while maintaining
compatibility with the widest range of TCP stacks. (...) Note that
this behavior technically violates the RFC 793 specification; the
conventional (but less secure) behavior can be restored by setting a
new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"
This means that the default, unconfigured FreeBSD TCP implementation
is no longer RFC-conformant, which has always been one of its
advantages over competing systems. Although I agree that the
modification can be useful in some specific setups, making it the
default at this time appears hasty. The IETF's tcpm working group is
evaluating mechanisms for RST processing, and one will likely move to
standards track in the future.
Thus, I'd like to suggest that the default for
net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod
came disabled be default in the past, too.
Lars
--
Lars Eggert NEC Network Laboratories
More information about the freebsd-net
mailing list