Re: ECN & cisco firewall

From: David S. Miller (davem@redhat.com)
Date: Fri Sep 08 2000 - 04:56:59 EST


   Date: Fri, 8 Sep 2000 11:42:54 +0200 (CEST)
   From: Ulrich Kiermayr <kie@thp.univie.ac.at>

   <quote>
     Reserved: 6 bits

        Reserved for future use. Must be zero.
   </quote>

   The point is: 'must be zero' is redefined by rfc2481 (ECN).

The authors of rfc793 probably, in all honesty, really meant
"must be set to zero by current implementations".

Even though they did not say this, several pages later they bestow
upon us the concept of being liberal in what one accepts. Perhaps
Cisco PIX firewall engineers missed this paragraph. :-) Also, there
is not one part of the packet parsing steps they describe which says
"if any reserved flag bits are non-zero, drop packet" or "reset" (the
sites which RST these ECN carrying packets are the ones which disturb
me the most, in the Cisco PIX case does the firewall send a reset
back?).

That's a really anal, zero purpose, check to put into a firewall.
I don't know of even any embedded printer stacks that puke when
the reserved flag bits are non-zero. The only things this protects
anyone from are extensions such as ECN :-)

Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:10 EST