From owner-freebsd-security@FreeBSD.ORG  Fri Apr 23 16:34:48 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A635C16A4CE
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 16:34:48 -0700 (PDT)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 33D7643D54
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 16:34:48 -0700 (PDT)	(envelope-from silby@silby.com)
Received: (qmail 68179 invoked from network); 23 Apr 2004 23:34:47 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 23 Apr 2004 23:34:47 -0000
X-pair-Authenticated: 209.68.2.70
Date: Fri, 23 Apr 2004 18:57:20 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: jayanth <jayanth@yahoo-inc.com>
In-Reply-To: <20040423231936.GC21555@yahoo-inc.com>
Message-ID: <20040423185501.S5540@odysseus.silby.com>
References: <200404231041.i3NAfR7E051507@gw.catspoiler.org>
	<20040423231936.GC21555@yahoo-inc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@FreeBSD.org
cc: Don Lewis <truckman@FreeBSD.org>
cc: avalon@caligula.anu.edu.au
cc: kernel@yahoo-inc.com
Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2004 23:34:48 -0000


On Fri, 23 Apr 2004, jayanth wrote:

> > I think Darren's suggestion would be a reasonable compromise; use the
> > strict check in the ESTABLISHED state, and the permissive check otherwise.
> > Established connections are what would be attacked, so we need the
> > security there, but the closing states are where oddities seem to pop up,
> > so we can use the permissive check there.
> >
> > If this is acceptable, I'd like to get it committed this weekend so that
> > we can still get it into 4.10.
> >
>
> sure, that sounds reasonable. The sysctl should be good for yahoo.
>
> thanks,
> jayanth

There wouldn't be a sysctl, as you wouldn't need one, if I understand
things correctly.  Since the "bad" RST is in response to the FreeBSD box
sending a FIN, the FreeBSD box would have already transitioned to
FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to
the check we're using at present.

Mike "Silby" Silbersack