TCP RST handling in 6.0
Brooks Davis
brooks at one-eyed-alien.net
Tue Nov 8 12:24:26 PST 2005
On Tue, Nov 08, 2005 at 11:02:25AM -0800, Lars Eggert wrote:
> Hi,
>
> I came across the following in the release notes of 6.0 recently:
>
> "The RST handling of the FreeBSD TCP stack has been improved to make
> reset attacks as difficult as possible while maintaining
> compatibility with the widest range of TCP stacks. (...) Note that
> this behavior technically violates the RFC 793 specification; the
> conventional (but less secure) behavior can be restored by setting a
> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"
>
> This means that the default, unconfigured FreeBSD TCP implementation
> is no longer RFC-conformant, which has always been one of its
> advantages over competing systems. Although I agree that the
> modification can be useful in some specific setups, making it the
> default at this time appears hasty. The IETF's tcpm working group is
> evaluating mechanisms for RST processing, and one will likely move to
> standards track in the future.
Anyone claiming a "fully RFC-conformant TCP implementation" is almost
certainly full of it. Striving for standards conformance even when the
standards are wrong or inadequate is not particularly useful IMO. Where
possible we should provide knobs to switch between the behaviors, but
given the rate at which standards are updated, I don't believe waiting
for final approval to flip a switch is viable.
-- Brooks
More information about the freebsd-net
mailing list