Re: RST business - Glen Turner

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Glen Turner <glen.turner@aarnet.edu.au>
To: Alex Pankratov <ap@swapped.cc>
Cc: netdev@oss.sgi.com
Subject: Re: RST business
Date: Thu, 22 Apr 2004 16:38:34 +0930	[thread overview]
Message-ID: <1082617714.9967.45.camel@andromache> (raw)
In-Reply-To: <40875F2F.7010204@swapped.cc>

On Thu, 2004-04-22 at 15:29, Alex Pankratov wrote:
> Looking at the hype around 'TCP vulnerability'

We're seeing the results of that hype.  Lots of
peers ringing the NOC to urgently arrange TCP MD5
authentication of their BGP sessions.  It looks
like lots of managers have read the press and
issued directives.

Which is ironic, as we're pretty insistent about
configuring MD5 authentication, and so the peer has
in the past explicitly requested that we not run BGP
authentication.  In the past we've assumed that
those were Linux peers, but apparently they were just
slack.

BGP is particularly vulnerable as they are long-lived
(some sessions here are longer than 400 days, so there can
be lots of attempts) and the interpretation of RST is dramatic
(remove routes learned from that neighbour).

Now if only they would release a Security Advisory
about the risks of unauthenticated OSPF and get the
same level of response :-)

> Comments ?

The essential problem is that RST is the generic
way of recovering from a failure condition in the TCP
state machine.

So trusting that the values in the remainder of
the TCP header are correct is a large leap of
faith (perhaps they got trod on by an errant
pointer, and perhaps the resulting out-of-range
value is why the other end sent us the RST).

If you choose to ignore a RST, and the RST is valid,
then you need to ensure that the TCP connection will
always time out (thus issuing its own RST).

You can expect, but not be assured of, a RST for
each subsequent packet sent on that connection
(and maybe that's a cheap way of checking if the
original RST is valid, hmmm).

Best wishes,
Glen

next prev parent reply	other threads:[~2004-04-22  7:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-04-22  5:59 RST business Alex Pankratov
2004-04-22  7:08 ` Glen Turner [this message]
2004-04-22 14:11 ` Steve Modica
2004-04-22 15:17   ` Alex Pankratov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1082617714.9967.45.camel@andromache \
    --to=glen.turner@aarnet.edu.au \
    --cc=ap@swapped.cc \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).