Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inappropriate TCP Resets Considered Harmful

From: Sally Floyd <floyd () aciri org>
Date: Sat, 12 May 2001 22:45:52 -0700
Having said that, maybe you should suggest a more appropriate firewall
response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
sending an ICMP parameter problem  error might be more informative. 


Yep, the next revision of the draft might try to include a suggestion
of a more appropriate response than a reset.  (Unfortunately, one
problem with ICMPs is that they might be blocked by a firewall on
the reserve path, it would seem.)


For the time being, though, wouldn't it be better to make ECN
implementations deal with TCP RSTs (as in try and resend in non-ECN mode)?


My own opinion would be that ECN implementations should be made as
robust as possible to deal with TCP RSTs, and *at the same time*
system administrators should be encouraged not to send resets in
response to Reserved flags in the TCP header.

Perhaps the next revision of the draft on "Inappropriate TCP Resets
Considered Harmful" will be more convincing.

- Sally
http://www.aciri.org/floyd/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: