From owner-freebsd-security@FreeBSD.ORG  Fri Apr 23 16:20:00 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3745616A4CE; Fri, 23 Apr 2004 16:20:00 -0700 (PDT)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F3DBB43D39; Fri, 23 Apr 2004 16:19:59 -0700 (PDT)
	(envelope-from jayanth@yahoo-inc.com)
Received: from milk.yahoo.com (milk.yahoo.com [216.145.52.137])
	i3NNJbrW001427;	Fri, 23 Apr 2004 16:19:37 -0700 (PDT)
Received: (from root@localhost)
	by milk.yahoo.com (8.12.9/8.12.9) id i3NNJaVx025227;
	Fri, 23 Apr 2004 16:19:36 -0700 (PDT)
	(envelope-from jayanth)
Date: Fri, 23 Apr 2004 16:19:36 -0700
From: jayanth <jayanth@yahoo-inc.com>
To: Mike Silbersack <silby@silby.com>
Message-ID: <20040423231936.GC21555@yahoo-inc.com>
References: <200404231041.i3NAfR7E051507@gw.catspoiler.org>
	<20040423182801.G5436@odysseus.silby.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040423182801.G5436@odysseus.silby.com>
User-Agent: Mutt/1.4.1i
X-Mailman-Approved-At: Mon, 26 Apr 2004 02:54:05 -0700
cc: freebsd-security@FreeBSD.org
cc: Don Lewis <truckman@FreeBSD.org>
cc: avalon@caligula.anu.edu.au
cc: jayanth@yahoo-inc.com
cc: kernel@yahoo-inc.com
Subject: Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2004 23:20:00 -0000

Mike Silbersack (silby@silby.com) wrote:
> 
> On Fri, 23 Apr 2004, Don Lewis wrote:
> 
> > > What type of packet was causing the Alteons to emit the RST?  SYN, FIN,
> > > normal data?
> > >
> > > Also, has Alteon fixed the problem or do their load balancers still
> > > exhibit the behavior?
> >
> > The link I posted showed it was a FIN, and after the RST was sent (and
> > ignored by the FreeBSD stack because of the strict sequence number
> > check), the Alteon (or whatever it was) did not respond to the
> > retransmissions of the FIN packet.
> >
> > Maybe we can get by with the strict check by default and add a sysctl to
> > revert to the permissive check.
> 
> I think Darren's suggestion would be a reasonable compromise; use the
> strict check in the ESTABLISHED state, and the permissive check otherwise.
> Established connections are what would be attacked, so we need the
> security there, but the closing states are where oddities seem to pop up,
> so we can use the permissive check there.
> 
> If this is acceptable, I'd like to get it committed this weekend so that
> we can still get it into 4.10.
> 

sure, that sounds reasonable. The sysctl should be good for yahoo.

thanks,
jayanth