Firewall Wizards mailing list archives
RE: Inappropriate TCP Resets Considered Harmful
From: dave.goldsmith () intelsat com
Date: Thu, 10 May 2001 18:39:30 -0400
RFC 793 when describing the TCP header has this to say about the 6 bits in
between the Data Offset and Control Bits:
Reserved: 6 bits
Reserved for future use. Must be zero.
Given that ECN is currently an experimental protocol and may soon be moving
to proposed protocol, but it is not yet a required protocol, it would seem
that these "offending implementations" are indeed following the current
requirements. The reserved bits MUST be zero and they are choosing to send
a RST if they are not.
From your draft:
RFC 1122 "amends, corrects, and supplements" RFC 793. RFC 1122 says nothing specific about sending resets, or not sending resets, in response to flags in the TCP Reserved field. Usually, the absence of any specific instruction would open the window for interpretation. If RFC 1122 said that implementations MUST NOT send RSTs in response to flags in the Reserved field being used, then any implementations that do take this action would be incorrect. MUST is an imperative. SHOULD is a suggestion. " " is an invitation to interpretation. R/S, Dave Goldsmith dave.goldsmith () intelsat com -----Original Message----- From: Sally Floyd [mailto:floyd () aciri org] Sent: Tuesday, May 08, 2001 11:35 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Inappropriate TCP Resets Considered Harmful I am new to this mailing list, but I wanted to point people here to a new internet-draft of mine on "Inappropriate TCP Resets Considered Harmful", at "http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-00.txt";, which argues that firewalls should not send TCP Resets (RST) in response to TCP SYN packets that contain flags in the TCP Reserved field. (Of 24,000 or so web servers that we tested as part of the TBIT project, only 300 or so were behind firewalls that send TCP resets in this case, so clearly most of the world seems to be maintaining reasonably adequate security without sending TCP Resets in this case.) I just learned of this mailing list, so I thought that, as long as I was writing something directed in part at firewall behavior, I would send it to this list for feedback. Thanks, - Sally http://www.aciri.org/floyd/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Inappropriate TCP Resets Considered Harmful Sally Floyd (May 10)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)
- Re: FW Sequence Number based statefulness Carson Gaspar (May 13)
- <Possible follow-ups>
- RE: Inappropriate TCP Resets Considered Harmful dave . goldsmith (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ofir Arkin (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Sally Floyd (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
(Thread continues...)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)