Date: Wed, 9 Nov 2005 05:29:51 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Lars Eggert <lars.eggert@netlab.nec.de> Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 Message-ID: <20051109052044.R6480@odysseus.silby.com> In-Reply-To: <AD6BF86B-E466-4E3B-8B33-A7A53B3B88F8@netlab.nec.de> References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de> <20051108130801.Y36544@odysseus.silby.com> <AD6BF86B-E466-4E3B-8B33-A7A53B3B88F8@netlab.nec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 8 Nov 2005, Lars Eggert wrote: > Also note that other attacks against long-lived TCP connections are still > possible, e.g., through spoofed ICMP packets. I don't think we've been vulnerable to the ICMP-based reset attack for a few years, actually. Using SYN packets is the best method, for now. We haven't implemented any changes to how we handle SYN packets yet. I'll get back on that after eurobsdcon. > I do see the release engineering aspects of switching this off by default. In > the end, it's a judgement call. If it indeed does cause problems and I switch it back to off in 6.0-stable, we'll have no end of people who are really confused when a move from 6.0-release to 6.0-stable fixes their mysterious problem. So, changing is out of the question at this point. BTW, have traces of the stacks which interact badly due to the changes in tcpsecure been archived somewhere? Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051109052044.R6480>