SO_REUSEADDR, restarting servers, and security patches

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: John Haller <jhaller@lucent.com>
To: netdev@oss.sgi.com
Subject: SO_REUSEADDR, restarting servers, and security patches
Date: Thu, 01 Jul 2004 23:39:53 -0500	[thread overview]
Message-ID: <40E4E719.6000508@lucent.com> (raw)

In October 2002, Yoshifuji Hideaki introduced a
patch that prevents completely any duplication
of <local-addr, local-port, remote-addr, remote-port>,
even when SO_REUSEADDR is set, preventing port
stealing denial-of-service attacks.  This also
has the side effect of not allowing a server to
be immediately restarted after being stopped,
because of the sockets that remain in the TCP_TIME_WAIT
state.

Would security be negatively impacted by relaxing
the restrictions introduced by the above patch
to allow a bind to a TCP port only if all existing
references to that TCP port were in the TCP_TIME_WAIT
state, and both the listening port and all of the
TCP_TIME_WAIT sockets had the SO_REUSEADDR flag set?
This relaxation would only help in the case of
servers where the listener and connected sockets
are all stopped at the same time, and not loosely
connect servers where the connected sockets are
handled in a separate process from the listener.

I don't want to use SO_REUSEPORT for two reasons.
The first is that SO_REUSEPORT allows binding
the same address twice for active sockets.  The
second is that SO_REUSEPORT is not commonly enabled.

The top message regarding the patch is located here:
http://oss.sgi.com/projects/netdev/archive/2002-10/msg00035.html
-- 
John Haller

                 reply	other threads:[~2004-07-02  4:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40E4E719.6000508@lucent.com \
    --to=jhaller@lucent.com \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).