Date: Mon, 18 Dec 2000 20:27:10 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Mike Silbersack <silby@silby.com> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@critter.freebsd.dk>, security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218202710.A16059@skriver.dk> In-Reply-To: <Pine.BSF.4.21.0012181310290.63148-100000@achilles.silby.com>; from silby@silby.com on Mon, Dec 18, 2000 at 01:20:51PM -0600 References: <20001218182600.C1856@skriver.dk> <Pine.BSF.4.21.0012181310290.63148-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 18, 2000 at 01:20:51PM -0600, Mike Silbersack wrote: > > On Mon, 18 Dec 2000, Jesper Skriver wrote: > > > - Check for SYN-SENT state removed > > I was thinking about this point, and I think there are two compelling > reasons to keep it enabled only for the SYN_SENT state. > > First, the cases in which connections are in progress to a port which is > in the process of being blocked for the first time are rare. The slight > chance that honoring such messages will allow connections to be falsely > reset outweighs the small gain of killing connections over paths that have > suddenly been firewalled. I agree, but others requested that I removed this check, the real life problem is when setting up the sessions, I strongly suggest that we keep this check in. > Second, if I understand correctly, this code may be able to kill IPSEC > connections too. (?) IPsec runs on top of GRE right ? Only the IKE phase runs over TCP. This code only applies to TCP, so I think it would have little, if any, impact on IPsec. > If so, it would allow a simple packet sniffer and > spoofer to defeat all the fancy crypto in use. (If someone's more > familiar with IPSEC and this patch could clarify, it would be > appreciated.) /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218202710.A16059>