From owner-freebsd-net@FreeBSD.ORG Tue Nov 8 19:54:14 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A67616A41F for ; Tue, 8 Nov 2005 19:54:14 +0000 (GMT) (envelope-from gollum123@free.fr) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DC6C43D45 for ; Tue, 8 Nov 2005 19:54:13 +0000 (GMT) (envelope-from gollum123@free.fr) Received: from [192.168.0.140] (tui75-2-82-229-178-102.fbx.proxad.net [82.229.178.102]) by smtp4-g19.free.fr (Postfix) with ESMTP id C29F43F5E8; Tue, 8 Nov 2005 20:54:12 +0100 (CET) Date: Tue, 8 Nov 2005 20:54:13 +0100 From: Mathieu CHATEAU X-Mailer: The Bat! (v3.5) Professional X-Priority: 3 (Normal) Message-ID: <885717694.20051108205413@free.fr> To: Lars Eggert In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mathieu CHATEAU List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 19:54:14 -0000 hello, to start with, i don't want to raise a troll... argue to keep it set: 1/it can be set back if needed 2/95% of users will get benefits against 5% that will disable it 3/over the time, i am having above 70 lines in sysctl.conf to get FreeBSD secured and the network strong and fast. 4/the 5% unlucky people knows they must take care of it (so they will find about this parameter easily as you done it) Maybe we can just set a warning during install (asking what to do) ? cheers, Mathieu CHATEAU Tuesday, November 8, 2005, 8:02:25 PM, you wrote: LE> Hi, LE> I came across the following in the release notes of 6.0 recently: LE> "The RST handling of the FreeBSD TCP stack has been improved to make LE> reset attacks as difficult as possible while maintaining LE> compatibility with the widest range of TCP stacks. (...) Note that LE> this behavior technically violates the RFC 793 specification; the LE> conventional (but less secure) behavior can be restored by setting a LE> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]" LE> This means that the default, unconfigured FreeBSD TCP implementation LE> is no longer RFC-conformant, which has always been one of its LE> advantages over competing systems. Although I agree that the LE> modification can be useful in some specific setups, making it the LE> default at this time appears hasty. The IETF's tcpm working group is LE> evaluating mechanisms for RST processing, and one will likely move to LE> standards track in the future. LE> Thus, I'd like to suggest that the default for LE> net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod LE> came disabled be default in the past, too. LE> Lars LE> -- LE> Lars Eggert NEC Network Laboratories