Date: Wed, 3 Mar 2004 10:33:04 +1100 (Australia/ACT) From: Darren Reed <avalon@caligula.anu.edu.au> To: silby@silby.com (Mike Silbersack) Cc: freebsd-security@freebsd.org Subject: Re: mbuf vulnerability Message-ID: <200403022333.i22NX4qb019047@caligula.anu.edu.au> In-Reply-To: <20040302145808.R715@odysseus.silby.com> from "Mike Silbersack" at Mar 02, 2004 02:59:25 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Mike Silbersack, sie said: > On Wed, 3 Mar 2004, Darren Reed wrote: > > > > "strict" requires that the sequence number in packet n should match > > > > what that sequence number of the last byte in packet n-1 - i.e. no > > > > out of order delivery is permitted. > > > > > > > > Darren > > Right, so your comment about it "not working" applies to 3.x (which > > is what comes with freebsd, currently), which is what i was hoping :) > > > > My comment was to say that with ipf4, you can address this problem. > > > > darren > > Ok, that sounds correct. However, it would have an adverse performance > impact in the normal case. Have you considered having an "almost strict" > option that would allow maybe 3 or 4 out of order segments through? That > would be a great feature. :) Indeed, there is the potential for adverse impact on TCP and hence so it is an option. But if I adopted your suggestion, it would be like saying it was "almost secure". It is primarily intended for things like, as an example, FTP command channels or telnet or (maybe) SMTP. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403022333.i22NX4qb019047>