From owner-freebsd-net@FreeBSD.ORG Tue Nov 8 21:32:15 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7DA116A41F for ; Tue, 8 Nov 2005 21:32:15 +0000 (GMT) (envelope-from lars.eggert@netlab.nec.de) Received: from kyoto.netlab.nec.de (kyoto.netlab.nec.de [195.37.70.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79B9043D6A for ; Tue, 8 Nov 2005 21:32:05 +0000 (GMT) (envelope-from lars.eggert@netlab.nec.de) Received: from lars.ietf64.ietf.org (pp107-126.bctel.ca [209.52.107.126]) by kyoto.netlab.nec.de (Postfix) with ESMTP id 34AEF1BAC9E; Tue, 8 Nov 2005 22:31:54 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lars.ietf64.ietf.org (Postfix) with ESMTP id 33749413BC1; Tue, 8 Nov 2005 13:20:10 -0800 (PST) In-Reply-To: <885717694.20051108205413@free.fr> References: <885717694.20051108205413@free.fr> Mime-Version: 1.0 (Apple Message framework v746.2) X-Priority: 3 (Normal) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-14-706269573; protocol="application/pkcs7-signature" Message-Id: <304C5D45-BF2F-4648-AB36-92F10BF0D482@netlab.nec.de> From: Lars Eggert Date: Tue, 8 Nov 2005 13:20:07 -0800 To: Mathieu CHATEAU X-Mailer: Apple Mail (2.746.2) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 21:32:16 -0000 --Apple-Mail-14-706269573 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Nov 8, 2005, at 11:54, Mathieu CHATEAU wrote: > 1/it can be set back if needed It can be enabled, too, if needed. > 2/95% of users will get benefits against 5% that will disable it I'd love to see a source for those numbers. > 3/over the time, i am having above 70 lines in sysctl.conf to get > FreeBSD secured and the network strong and fast. It's a policy decision whether FreeBSD out-of-the box should be heavily optimized and non-standards-conformant, or be conservatively configured. I'd argue for the latter. > 4/the 5% unlucky people knows they must take care of it (so they will > find about this parameter easily as you done it) I doubt that very many people that have "hanging" connections that do not abort will be able to trace this back to this sysctl setting. On the flipside, people concerned about the attack have likely also read about mitigation mechanisms such as this one, and are able to judge the risks of enabling it. Lars -- Lars Eggert NEC Network Laboratories --Apple-Mail-14-706269573--