From owner-freebsd-net@FreeBSD.ORG  Tue Nov  8 20:24:26 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 74D8F16A41F
	for <net@freebsd.org>; Tue,  8 Nov 2005 20:24:26 +0000 (GMT)
	(envelope-from brdavis@odin.ac.hmc.edu)
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A82F443D6D
	for <net@freebsd.org>; Tue,  8 Nov 2005 20:24:25 +0000 (GMT)
	(envelope-from brdavis@odin.ac.hmc.edu)
Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1])
	by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id jA8KOPoO007551;
	Tue, 8 Nov 2005 12:24:25 -0800
Received: (from brdavis@localhost)
	by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id jA8KOPx2007550;
	Tue, 8 Nov 2005 12:24:25 -0800
Date: Tue, 8 Nov 2005 12:24:25 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Lars Eggert <lars.eggert@netlab.nec.de>
Message-ID: <20051108202425.GE27091@odin.ac.hmc.edu>
References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
User-Agent: Mutt/1.4.1i
X-Virus-Scanned: by amavisd-new
X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu
Cc: net@freebsd.org
Subject: Re: TCP RST handling in 6.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2005 20:24:26 -0000

On Tue, Nov 08, 2005 at 11:02:25AM -0800, Lars Eggert wrote:
> Hi,
> 
> I came across the following in the release notes of 6.0 recently:
> 
> "The RST handling of the FreeBSD TCP stack has been improved to make  
> reset attacks as difficult as possible while maintaining  
> compatibility with the widest range of TCP stacks. (...) Note that  
> this behavior technically violates the RFC 793 specification; the  
> conventional (but less secure) behavior can be restored by setting a  
> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"
> 
> This means that the default, unconfigured FreeBSD TCP implementation  
> is no longer RFC-conformant, which has always been one of its  
> advantages over competing systems. Although I agree that the  
> modification can be useful in some specific setups, making it the  
> default at this time appears hasty. The IETF's tcpm working group is  
> evaluating mechanisms for RST processing, and one will likely move to  
> standards track in the future.

Anyone claiming a "fully RFC-conformant TCP implementation" is almost
certainly full of it.  Striving for standards conformance even when the
standards are wrong or inadequate is not particularly useful IMO.  Where
possible we should provide knobs to switch between the behaviors, but
given the rate at which standards are updated, I don't believe waiting
for final approval to flip a switch is viable.

-- Brooks