Re: tcp vulnerability? haven't seen anything on it here...

[Florian Weimer]

"David S. Miller" <davem@xxxxxxxxxx> writes:

> On Wed, 21 Apr 2004 19:27:01 +0200
> "Fabian Uebersax" <fabian.uebersax@xxxxxxxxxxxxxx> wrote:
>
>> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
>
> Anyone who recommends responding to a RST packet, does not
> understand TCP very well.

This was my thought as well.  Surely you don't want to deploy such a
drastic change to the TCP state engine after just so little
investigation.

In the confined environment of BGP peerings, the risks can be
controlled (RSTs are typically rate-limited on the receiving end
anyway, for example).  On the net as a whole, you have to be
compatible with all implementations ever written.  If some
implementation replied to the ACK cookie with another RST with an
suitable sequence number, there might be a few issues.

(BTW, TCP connections used for BGP typically have port numbers from a
very small set.  So there is no additional randomness from that which
offers any additional protection.)

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, postino.it, tiscali.co.uk,
tiscali.cz, tiscali.it, voila.fr.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/