RE: Inappropriate TCP Resets Considered Harmful

["Ofir Arkin" <ofir () sys-security com>]

> I'm mainly of the opinion that ECN is experimental, and sends
> non-RFC-compliant datagrams. I think that any firewalls that pass ECN
> enabled TCP without being explicitly configured to do so aren't doing their
> job properly.

I think this is, again, the question of who was here first the chicken or
the egg.
Some people might suggest that a firewall does not have to verify the
integrity of some fields values, before (or after) it process a packet.

Sure this is not an 'original' goal of Firewalls but, in my opinion,
firewalls should have more intelligence than they have today. I have raised
this point before. You can read my paper: "Unverified Fields - A Problem
with Firewalls & Firewall Technology Today", from my web site:
http://www.sys-security.com/html/papers.html.

...

> Having said that, maybe you should suggest a more appropriate firewall
> response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
> sending an ICMP parameter problem  error might be more informative. That
> will still abort your prospective TCP connection, though. Would the ECN TCP
> stacks cope better with this?

ICMP Parameter Problem Error message is sent for error conditions in the IP
Header which are not being reported by another ICMP Error message.


Just my 2 cents


Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards