Re: RFC1948

[Fernando Gont <fgont%si6networks.com@localhost>]

Hi,

Just happened to see this one.

Note: a randomized ISN is better in terms of security, but may result in 
connection establishment failures (see the RFC6528).

   TL;DR; BSD have an optiomization where a new incarnation of a 
previous connection is created if the four-tuple (src addr, dst addr, 
src port, dst port) is the same as that of the previous incarnation, but 
the ISN of the new incarnation is larger than the last SEQ seen in the 
previous incarnation for that direction of the connection.

 IOW "if the same four tuple is employed for the new connection, the 
connection will nevertheless succeed if the ISN of the new connection is 
larger than the SEQ of the previous connection2.

Cheers,
Fernando
(who happens to be a co-author of RFC6528 :-) )


On 8/3/21 18:00, Jason Thorpe wrote:
> RFC6528 is standards-track:
>
> 	https://www.rfc-editor.org/info/rfc6528
>
> ...so why this change instead?
>
> > On Mar 8, 2021, at 10:17 AM, Christos Zoulas <christos%netbsd.org@localhost> wrote:
> >
> > Module Name:	src
> > Committed By:	christos
> > Date:		Mon Mar  8 18:17:27 UTC 2021
> >
> > Modified Files:
> > 	src/sys/netinet: tcp_input.c tcp_subr.c tcp_usrreq.c tcp_var.h
> >
> > Log Message:
> > Remove the unused "addin" argument (it was always 0) and go back using
> > a random iss by default (instead of rfc1948)
> >
> >
> > To generate a diff of this commit:
> > cvs rdiff -u -r1.427 -r1.428 src/sys/netinet/tcp_input.c
> > cvs rdiff -u -r1.286 -r1.287 src/sys/netinet/tcp_subr.c
> > cvs rdiff -u -r1.228 -r1.229 src/sys/netinet/tcp_usrreq.c
> > cvs rdiff -u -r1.194 -r1.195 src/sys/netinet/tcp_var.h
> >
> > Please note that diffs are not public domain; they are subject to the
> > copyright notices on the relevant files.
>
> -- thorpej


--
Fernando Gont
SI6 Networks
e-mail: fgont%si6networks.com@localhost
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492