TCP RST handling in 6.0
Mike Silbersack
silby at silby.com
Wed Nov 9 03:29:55 PST 2005
On Tue, 8 Nov 2005, Lars Eggert wrote:
> Also note that other attacks against long-lived TCP connections are still
> possible, e.g., through spoofed ICMP packets.
I don't think we've been vulnerable to the ICMP-based reset attack for a
few years, actually. Using SYN packets is the best method, for now. We
haven't implemented any changes to how we handle SYN packets yet. I'll
get back on that after eurobsdcon.
> I do see the release engineering aspects of switching this off by default. In
> the end, it's a judgement call.
If it indeed does cause problems and I switch it back to off in
6.0-stable, we'll have no end of people who are really confused when a
move from 6.0-release to 6.0-stable fixes their mysterious problem. So,
changing is out of the question at this point.
BTW, have traces of the stacks which interact badly due to the changes in
tcpsecure been archived somewhere?
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list