Subject: Re: SYN cookie ?
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 04/23/2001 13:20:11
>>>> 1. SYN----------- - - - - - - - - - ->
>>>> 2. <------------SYN-ACK(cookie)
>>>> 3. ACK----------- - - - - - - - - - ->
>>> Now, assume that the #3 packet is dropped.
>>> The client now hangs forever waiting for a packet which will never
>>> arrive.
> No, it doesn't.
Why not? The firewall, by definition of syn-cookies, has kept no state
and hence will not retransmit anything. The client, on the other hand,
has no reason to think anything is amiss and is waiting for the server
to send its greeting banner. (Assuming, as mentioned previously, that
the protocol in question is one where the client doesn't send anything
until after it receives something from the server. SMTP and FTP are
common examples.)
The only way the client will transmit anything in this situation is if
it's got keepalives turned on, and even then, only after its initial
keepalive interval expires (which MUST default to no less than two
hours, and keepalives MUST default off anyway - per RFC1122).
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B