From owner-freebsd-net@FreeBSD.ORG  Wed Nov  9 11:29:55 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 79C3316A41F
	for <net@freebsd.org>; Wed,  9 Nov 2005 11:29:55 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: from relay03.pair.com (relay03.pair.com [209.68.5.17])
	by mx1.FreeBSD.org (Postfix) with SMTP id E788643D49
	for <net@freebsd.org>; Wed,  9 Nov 2005 11:29:54 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: (qmail 94530 invoked from network); 9 Nov 2005 11:29:53 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 9 Nov 2005 11:29:53 -0000
X-pair-Authenticated: 209.68.2.70
Date: Wed, 9 Nov 2005 05:29:51 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Lars Eggert <lars.eggert@netlab.nec.de>
In-Reply-To: <AD6BF86B-E466-4E3B-8B33-A7A53B3B88F8@netlab.nec.de>
Message-ID: <20051109052044.R6480@odysseus.silby.com>
References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
	<20051108130801.Y36544@odysseus.silby.com>
	<AD6BF86B-E466-4E3B-8B33-A7A53B3B88F8@netlab.nec.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: net@freebsd.org
Subject: Re: TCP RST handling in 6.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2005 11:29:55 -0000


On Tue, 8 Nov 2005, Lars Eggert wrote:

> Also note that other attacks against long-lived TCP connections are still 
> possible, e.g., through spoofed ICMP packets.

I don't think we've been vulnerable to the ICMP-based reset attack for a 
few years, actually.  Using SYN packets is the best method, for now.  We 
haven't implemented any changes to how we handle SYN packets yet.  I'll 
get back on that after eurobsdcon.

> I do see the release engineering aspects of switching this off by default. In 
> the end, it's a judgement call.

If it indeed does cause problems and I switch it back to off in 
6.0-stable, we'll have no end of people who are really confused when a 
move from 6.0-release to 6.0-stable fixes their mysterious problem.  So, 
changing is out of the question at this point.

BTW, have traces of the stacks which interact badly due to the changes in 
tcpsecure been archived somewhere?

Mike "Silby" Silbersack