From: Florian Weimer <fw@deneb.enyo.de>
To: "David S. Miller" <davem@redhat.com>
Cc: "Fabian Uebersax" <fabian.uebersax@ch.tiscali.com>,
linux-kernel@vger.kernel.org
Subject: Re: tcp vulnerability? haven't seen anything on it here...
Date: Wed, 21 Apr 2004 23:39:26 +0200 [thread overview]
Message-ID: <874qrdggdt.fsf@deneb.enyo.de> (raw)
In-Reply-To: <20040421132642.60c21268.davem@redhat.com> (David S. Miller's message of "Wed, 21 Apr 2004 13:26:42 -0700")
"David S. Miller" <davem@redhat.com> writes:
> On Wed, 21 Apr 2004 19:27:01 +0200
> "Fabian Uebersax" <fabian.uebersax@ch.tiscali.com> wrote:
>
>> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
>
> Anyone who recommends responding to a RST packet, does not
> understand TCP very well.
This was my thought as well. Surely you don't want to deploy such a
drastic change to the TCP state engine after just so little
investigation.
In the confined environment of BGP peerings, the risks can be
controlled (RSTs are typically rate-limited on the receiving end
anyway, for example). On the net as a whole, you have to be
compatible with all implementations ever written. If some
implementation replied to the ACK cookie with another RST with an
suitable sequence number, there might be a few issues.
(BTW, TCP connections used for BGP typically have port numbers from a
very small set. So there is no additional randomness from that which
offers any additional protection.)
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, postino.it, tiscali.co.uk,
tiscali.cz, tiscali.it, voila.fr.
next prev parent reply other threads:[~2004-04-21 21:39 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-21 17:27 tcp vulnerability? haven't seen anything on it here Fabian Uebersax
2004-04-21 20:26 ` David S. Miller
2004-04-21 21:39 ` Florian Weimer [this message]
2004-04-21 23:02 ` Willy Tarreau
-- strict thread matches above, loose matches on Subject: below --
2004-04-21 15:25 Chris Friesen
2004-04-21 16:02 ` Richard B. Johnson
2004-04-21 16:25 ` Chris Friesen
2004-04-21 17:03 ` Jörn Engel
2004-04-21 20:20 ` David S. Miller
2004-04-22 0:45 ` James Morris
2004-04-22 5:04 ` Willy Tarreau
2004-04-22 8:23 ` Giuliano Pochini
2004-04-22 11:35 ` Richard B. Johnson
2004-04-22 13:17 ` Willy Tarreau
2004-04-22 13:42 ` Richard B. Johnson
2004-04-22 14:18 ` Willy Tarreau
2004-04-22 20:25 ` Richard B. Johnson
2004-04-22 21:08 ` Willy Tarreau
2004-04-22 18:28 ` David S. Miller
2004-04-22 13:22 ` jamal
2004-04-22 13:46 ` Giuliano Pochini
2004-04-22 14:27 ` jamal
2004-04-22 14:37 ` alex
2004-04-22 15:17 ` jamal
2004-04-22 15:27 ` alex
2004-04-22 17:38 ` Horst von Brand
2004-04-22 21:15 ` Florian Weimer
2004-04-22 15:42 ` Chris Friesen
2004-04-22 15:47 ` alex
2004-04-23 10:31 ` Florian Weimer
2004-04-22 13:58 ` Florian Weimer
2004-04-23 13:55 ` Florian Weimer
2004-04-23 14:15 ` alex
2004-04-23 14:25 ` jamal
2004-04-22 20:01 ` Ranjeet Shetye
2004-04-22 21:26 ` Sridhar Samudrala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874qrdggdt.fsf@deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=davem@redhat.com \
--cc=fabian.uebersax@ch.tiscali.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox