From owner-freebsd-net@FreeBSD.ORG Tue Nov 8 21:20:26 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ACF016A41F for ; Tue, 8 Nov 2005 21:20:26 +0000 (GMT) (envelope-from lars.eggert@netlab.nec.de) Received: from kyoto.netlab.nec.de (kyoto.netlab.nec.de [195.37.70.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8602243D45 for ; Tue, 8 Nov 2005 21:20:25 +0000 (GMT) (envelope-from lars.eggert@netlab.nec.de) Received: from lars.ietf64.ietf.org (pp107-126.bctel.ca [209.52.107.126]) by kyoto.netlab.nec.de (Postfix) with ESMTP id 013D81BAC4D; Tue, 8 Nov 2005 22:15:23 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lars.ietf64.ietf.org (Postfix) with ESMTP id DC34C41385B; Tue, 8 Nov 2005 13:14:33 -0800 (PST) In-Reply-To: <20051108130801.Y36544@odysseus.silby.com> References: <20051108130801.Y36544@odysseus.silby.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-13-705931855; protocol="application/pkcs7-signature" Message-Id: From: Lars Eggert Date: Tue, 8 Nov 2005 13:14:30 -0800 To: Mike Silbersack X-Mailer: Apple Mail (2.746.2) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 21:20:26 -0000 --Apple-Mail-13-705931855 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Hi, On Nov 8, 2005, at 11:23, Mike Silbersack wrote: > > I'm open to discussing the change. I plan to revisit that and the > SYN causing a connection reset issue after eurobsdcon. good to know, thanks! > However, I'm open to clubbing you over the head for not saying > anything throughout the entire 6.0 release cycle and requesting the > change AFTER THE RELEASE HAS SHIPPED. Since 6.0 shipped with this > feature on, I don't think we should flip the setting back to off > until a good reason has been given. Point taken, and I'm very sorry. I no longer follow -current, so I've missed this completely until I looked at 6.0. The argument for switching it back off would be that the RST attack is probably only effective against long-lived connections between well-known ports, the canonical example being BGP sessions. I doubt that the average user has many such connections open and thus will see little benefit from having this on. The change does increase the chances of ignoring valid RSTs, which could lead to all sorts of problems, especially when talking to esoteric TCP stacks. These two effects (attack resistance vs. compatibility) are hard to trade off. I'd personally argue for the conservative approach. Also note that other attacks against long-lived TCP connections are still possible, e.g., through spoofed ICMP packets. I do see the release engineering aspects of switching this off by default. In the end, it's a judgement call. > While we're on the subject of potential problems, I'd like to throw > out an idea. What would people think of a "log perhaps somewhat in > vain" option (turned on by default) that logged unusual looking > packets to /var/log/ip.log - but did it in a ratelimited fashion, > so that it would not be possible for attackers to chew up disk > space. This would of course get written to during an attack, but > it would also log legitimate cases, such as where a RST blocked by > this setting came in. This could also be used to tell if future > changes cause additional incompatibilities. > > Such a feature wouldn't cause performance problems, but I could see > there being privacy concerns. If the log was only root readable, > what would people think? Remember that I'm talking only about > logging "odd" packets, and only their TCP/IP flags and fields, not > the data contents. I think that'd be very useful. I frequently come across entries in the logs that I wish I had some more information about. I'd even go as far as (optionally) dumping all such packets in tcpdump format. Lars -- Lars Eggert NEC Network Laboratories --Apple-Mail-13-705931855--