Date: Tue, 8 Nov 2005 20:54:13 +0100 From: Mathieu CHATEAU <gollum123@free.fr> To: Lars Eggert <lars.eggert@netlab.nec.de> Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 Message-ID: <885717694.20051108205413@free.fr> In-Reply-To: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de> References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
hello, to start with, i don't want to raise a troll... argue to keep it set: 1/it can be set back if needed 2/95% of users will get benefits against 5% that will disable it 3/over the time, i am having above 70 lines in sysctl.conf to get FreeBSD secured and the network strong and fast. 4/the 5% unlucky people knows they must take care of it (so they will find about this parameter easily as you done it) Maybe we can just set a warning during install (asking what to do) ? cheers, Mathieu CHATEAU Tuesday, November 8, 2005, 8:02:25 PM, you wrote: LE> Hi, LE> I came across the following in the release notes of 6.0 recently: LE> "The RST handling of the FreeBSD TCP stack has been improved to make LE> reset attacks as difficult as possible while maintaining LE> compatibility with the widest range of TCP stacks. (...) Note that LE> this behavior technically violates the RFC 793 specification; the LE> conventional (but less secure) behavior can be restored by setting a LE> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]" LE> This means that the default, unconfigured FreeBSD TCP implementation LE> is no longer RFC-conformant, which has always been one of its LE> advantages over competing systems. Although I agree that the LE> modification can be useful in some specific setups, making it the LE> default at this time appears hasty. The IETF's tcpm working group is LE> evaluating mechanisms for RST processing, and one will likely move to LE> standards track in the future. LE> Thus, I'd like to suggest that the default for LE> net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod LE> came disabled be default in the past, too. LE> Lars LE> -- LE> Lars Eggert NEC Network Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?885717694.20051108205413>