Firewall Wizards mailing list archives
RE: Inappropriate TCP Resets Considered Harmful
From: Ben Nagy <ben.nagy () marconi com au>
Date: Fri, 11 May 2001 12:00:52 +1000
OK, I'll bite. I'm mainly of the opinion that ECN is experimental, and sends non-RFC-compliant datagrams. I think that any firewalls that pass ECN enabled TCP without being explicitly configured to do so aren't doing their job properly. I think your reading of the RFC is flawed, by the way. RFC 793 does NOT "explicitly forbid" sending RSTs in response to malformed packets. A RST is the appropriate response from a "CLOSED" TCP listener. I think it's quite understandable that a firewall chooses to treat ports as closed for malformed packets. Having said that, maybe you should suggest a more appropriate firewall response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and sending an ICMP parameter problem error might be more informative. That will still abort your prospective TCP connection, though. Would the ECN TCP stacks cope better with this? For the time being, though, wouldn't it be better to make ECN implementations deal with TCP RSTs (as in try and resend in non-ECN mode)? Once ECN becomes an RFC and those reserved bits get "officially" assigned, people are much more likely to be sympathetic. If an experimental protocol needs to break the RFCs for it to work, then don't whine when it doesn't. What part of MUST BE ZERO isn't clear? ;) Cheers, -- Ben Nagy Devil's Advocate Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message----- From: Sally Floyd [mailto:floyd () aciri org] Sent: Wednesday, May 09, 2001 1:35 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Inappropriate TCP Resets Considered Harmful I am new to this mailing list, but I wanted to point people here to a new internet-draft of mine on "Inappropriate TCP Resets Considered Harmful", at "http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-00.txt", which argues that firewalls should not send TCP Resets (RST) in response to TCP SYN packets that contain flags in the TCP Reserved field. (Of 24,000 or so web servers that we tested as part of the TBIT project, only 300 or so were behind firewalls that send TCP resets in this case, so clearly most of the world seems to be maintaining reasonably adequate security without sending TCP Resets in this case.) I just learned of this mailing list, so I thought that, as long as I was writing something directed in part at firewall behavior, I would send it to this list for feedback. Thanks, - Sally http://www.aciri.org/floyd/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Inappropriate TCP Resets Considered Harmful Sally Floyd (May 10)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)
- Re: FW Sequence Number based statefulness Carson Gaspar (May 13)
- <Possible follow-ups>
- RE: Inappropriate TCP Resets Considered Harmful dave . goldsmith (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ofir Arkin (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Sally Floyd (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)