Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)

From: jayanth (jayanth_at_yahoo-inc.com)
Date: 04/24/04

  • Next message: Crist J. Clark: "Re: IPsec - got ESP going, but not AH" 
    Date: Fri, 23 Apr 2004 16:19:36 -0700
To: Mike Silbersack <silby@silby.com>

    Mike Silbersack (silby@silby.com) wrote:
    >
    > On Fri, 23 Apr 2004, Don Lewis wrote:
    >
    > > > What type of packet was causing the Alteons to emit the RST? SYN, FIN,
    > > > normal data?
    > > >
    > > > Also, has Alteon fixed the problem or do their load balancers still
    > > > exhibit the behavior?
    > >
    > > The link I posted showed it was a FIN, and after the RST was sent (and
    > > ignored by the FreeBSD stack because of the strict sequence number
    > > check), the Alteon (or whatever it was) did not respond to the
    > > retransmissions of the FIN packet.
    > >
    > > Maybe we can get by with the strict check by default and add a sysctl to
    > > revert to the permissive check.
    >
    > I think Darren's suggestion would be a reasonable compromise; use the
    > strict check in the ESTABLISHED state, and the permissive check otherwise.
    > Established connections are what would be attacked, so we need the
    > security there, but the closing states are where oddities seem to pop up,
    > so we can use the permissive check there.
    >
    > If this is acceptable, I'd like to get it committed this weekend so that
    > we can still get it into 4.10.
    >

    sure, that sounds reasonable. The sysctl should be good for yahoo.

    thanks,
    jayanth
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Crist J. Clark: "Re: IPsec - got ESP going, but not AH"