RE: Inappropriate TCP Resets Considered Harmful

[Ben Nagy <ben.nagy () marconi com au>]

OK, I'll bite.

I'm mainly of the opinion that ECN is experimental, and sends
non-RFC-compliant datagrams. I think that any firewalls that pass ECN
enabled TCP without being explicitly configured to do so aren't doing their
job properly.

I think your reading of the RFC is flawed, by the way. RFC 793 does NOT
"explicitly forbid" sending RSTs in response to malformed packets. A RST is
the appropriate response from a "CLOSED" TCP listener. I think it's quite
understandable that a firewall chooses to treat ports as closed for
malformed packets.

Having said that, maybe you should suggest a more appropriate firewall
response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
sending an ICMP parameter problem  error might be more informative. That
will still abort your prospective TCP connection, though. Would the ECN TCP
stacks cope better with this?

For the time being, though, wouldn't it be better to make ECN
implementations deal with TCP RSTs (as in try and resend in non-ECN mode)?
Once ECN becomes an RFC and those reserved bits get "officially" assigned,
people are much more likely to be sympathetic. If an experimental protocol
needs to break the RFCs for it to work, then don't whine when it doesn't.
What part of MUST BE ZERO isn't clear? ;)

Cheers,

--
Ben Nagy
Devil's Advocate
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304 

> -----Original Message-----
> From: Sally Floyd [mailto:floyd () aciri org]
> Sent: Wednesday, May 09, 2001 1:35 PM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Inappropriate TCP Resets Considered Harmful
>
>
> I am new to this mailing list, but I wanted to point people here
> to a new internet-draft of mine on "Inappropriate TCP Resets 
> Considered
> Harmful", at 
> "http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-00.txt";,
> which argues that firewalls should not send TCP Resets (RST) 
> in response
> to TCP SYN packets that contain flags in the TCP Reserved field.
>
> (Of 24,000 or so web servers that we tested as part of the 
> TBIT project, 
> only 300 or so were behind firewalls that send TCP resets in 
> this case,
> so clearly most of the world seems to be maintaining 
> reasonably adequate
> security without sending TCP Resets in this case.)
>
> I just learned of this mailing list, so I thought that, as long as
> I was writing something directed in part at firewall behavior, I
> would send it to this list for feedback.
>
> Thanks,
> - Sally
> http://www.aciri.org/floyd/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards