TCP RST handling in 6.0

[Mathieu CHATEAU]

hello,

to start with, i don't want to raise a troll...

argue to keep it set:

1/it can be set back if needed
2/95% of users will get benefits against 5% that will disable it
3/over the time, i am having above 70 lines in sysctl.conf to get
FreeBSD secured and the network strong and fast.
4/the 5% unlucky people knows they must take care of it (so they will
find about this parameter easily as you done it)

Maybe we can just set a warning during install (asking what to do) ?

cheers,
Mathieu CHATEAU
Tuesday, November 8, 2005, 8:02:25 PM, you wrote:

LE> Hi,

LE> I came across the following in the release notes of 6.0 recently:

LE> "The RST handling of the FreeBSD TCP stack has been improved to make
LE> reset attacks as difficult as possible while maintaining  
LE> compatibility with the widest range of TCP stacks. (...) Note that
LE> this behavior technically violates the RFC 793 specification; the
LE> conventional (but less secure) behavior can be restored by setting a
LE> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"

LE> This means that the default, unconfigured FreeBSD TCP implementation
LE> is no longer RFC-conformant, which has always been one of its  
LE> advantages over competing systems. Although I agree that the  
LE> modification can be useful in some specific setups, making it the
LE> default at this time appears hasty. The IETF's tcpm working group is
LE> evaluating mechanisms for RST processing, and one will likely move to
LE> standards track in the future.

LE> Thus, I'd like to suggest that the default for  
LE> net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod
LE> came disabled be default in the past, too.

LE> Lars
LE> --
LE> Lars Eggert                                     NEC Network Laboratories