Firewall Wizards mailing list archives
RE: Inappropriate TCP Resets Considered Harmful
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 12 May 2001 11:31:45 +0200
I'm mainly of the opinion that ECN is experimental, and sends non-RFC-compliant datagrams. I think that any firewalls that pass ECN enabled TCP without being explicitly configured to do so aren't doing their job properly.
I think this is, again, the question of who was here first the chicken or the egg. Some people might suggest that a firewall does not have to verify the integrity of some fields values, before (or after) it process a packet. Sure this is not an 'original' goal of Firewalls but, in my opinion, firewalls should have more intelligence than they have today. I have raised this point before. You can read my paper: "Unverified Fields - A Problem with Firewalls & Firewall Technology Today", from my web site: http://www.sys-security.com/html/papers.html. ...
Having said that, maybe you should suggest a more appropriate firewall response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and sending an ICMP parameter problem error might be more informative. That will still abort your prospective TCP connection, though. Would the ECN TCP stacks cope better with this?
ICMP Parameter Problem Error message is sent for error conditions in the IP Header which are not being reported by another ICMP Error message. Just my 2 cents Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Inappropriate TCP Resets Considered Harmful Sally Floyd (May 10)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)
- Re: FW Sequence Number based statefulness Carson Gaspar (May 13)
- <Possible follow-ups>
- RE: Inappropriate TCP Resets Considered Harmful dave . goldsmith (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ofir Arkin (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Sally Floyd (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
- FW Sequence Number based statefulness Nimesh vakharia (May 11)