Subject: Re: SYN cookie ?
To: None <suxm@gnuchina.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-kern
Date: 04/19/2001 18:05:37
> client NetBSD Firewall server
> ------ ---------- ------
> 1. SYN----------- - - - - - - - - - ->
> 2. <------------SYN-ACK(cookie)
> 3. ACK----------- - - - - - - - - - ->
Now, assume that the #3 packet is dropped.
At this point, the firewall using cookies has no connection state.
client is waiting for the server to send something.
The client now hangs forever waiting for a packet which will never
arrive.
> >Is it realistically feasible? Not meaning "can it be done" but=
> "can it be
> >done right"?
syn cookies cannot be done correctly because of the way TCP is
defined.
- Bill