Date: Tue, 8 Nov 2005 12:24:25 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Lars Eggert <lars.eggert@netlab.nec.de> Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 Message-ID: <20051108202425.GE27091@odin.ac.hmc.edu> In-Reply-To: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de> References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 08, 2005 at 11:02:25AM -0800, Lars Eggert wrote: > Hi, > > I came across the following in the release notes of 6.0 recently: > > "The RST handling of the FreeBSD TCP stack has been improved to make > reset attacks as difficult as possible while maintaining > compatibility with the widest range of TCP stacks. (...) Note that > this behavior technically violates the RFC 793 specification; the > conventional (but less secure) behavior can be restored by setting a > new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]" > > This means that the default, unconfigured FreeBSD TCP implementation > is no longer RFC-conformant, which has always been one of its > advantages over competing systems. Although I agree that the > modification can be useful in some specific setups, making it the > default at this time appears hasty. The IETF's tcpm working group is > evaluating mechanisms for RST processing, and one will likely move to > standards track in the future. Anyone claiming a "fully RFC-conformant TCP implementation" is almost certainly full of it. Striving for standards conformance even when the standards are wrong or inadequate is not particularly useful IMO. Where possible we should provide knobs to switch between the behaviors, but given the rate at which standards are updated, I don't believe waiting for final approval to flip a switch is viable. -- Brooks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051108202425.GE27091>