Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261273AbUDUVjf (ORCPT ); Wed, 21 Apr 2004 17:39:35 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261263AbUDUVjf (ORCPT ); Wed, 21 Apr 2004 17:39:35 -0400 Received: from mail.enyo.de ([212.9.189.167]:15889 "EHLO mail.enyo.de") by vger.kernel.org with ESMTP id S261273AbUDUVjd (ORCPT ); Wed, 21 Apr 2004 17:39:33 -0400 To: "David S. Miller" Cc: "Fabian Uebersax" , linux-kernel@vger.kernel.org Subject: Re: tcp vulnerability? haven't seen anything on it here... References: <435F241B01CDFC44B50865371254BC3702426157@ch-flu-exchange> <20040421132642.60c21268.davem@redhat.com> From: Florian Weimer Date: Wed, 21 Apr 2004 23:39:26 +0200 In-Reply-To: <20040421132642.60c21268.davem@redhat.com> (David S. Miller's message of "Wed, 21 Apr 2004 13:26:42 -0700") Message-ID: <874qrdggdt.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1416 Lines: 34 "David S. Miller" writes: > On Wed, 21 Apr 2004 19:27:01 +0200 > "Fabian Uebersax" wrote: > >> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt > > Anyone who recommends responding to a RST packet, does not > understand TCP very well. This was my thought as well. Surely you don't want to deploy such a drastic change to the TCP state engine after just so little investigation. In the confined environment of BGP peerings, the risks can be controlled (RSTs are typically rate-limited on the receiving end anyway, for example). On the net as a whole, you have to be compatible with all implementations ever written. If some implementation replied to the ACK cookie with another RST with an suitable sequence number, there might be a few issues. (BTW, TCP connections used for BGP typically have port numbers from a very small set. So there is no additional randomness from that which offers any additional protection.) -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/