tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipf - RST packet w. sequence num.



>> This looks to me like a fairly clear violation of the above spec
>> from 793.
> Nevertheless, NetBSD accepts this packet as correct if no ipf rules
> are involved.

I think it's a defensible position that this is correct behaviour.
Without filtering turned on, there's an implicit "this host is not
trying especially hard to defend itself against hostile network
behaviour", so in borderline cases it should err on the side of
accepting traffic.

I think it's also a defensible position that this is incorrect
behaviour; accepting nonconformant traffic rarely does much more than
pile up trouble for later, and there are so few pieces of the network
that aren't exposed to hostile traffic that I'm not sure it's worth
designing for them in a general-purpose system, especially by default.

> I wonder if there is any interest from the community to get the ipf's
> and NetBSD's notion of "tcp session" to get to sync. - should i file
> a PR?

I'm not sure it's a question of differing notions of "TCP session"; I
think it may be more that the TCP stack just doesn't bother checking
that particular field.  (I don't recall looking at 793 to see whether
it says that field should be ignored on incoming RSTs.)

> Btw. we solved it at work by leaving the "broken" server-hosting
> provider.

That would be one of my recommendations, certainly.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index