Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inappropriate TCP Resets Considered Harmful

From: Darren Reed <darrenr () reed wattle id au>
Date: Mon, 14 May 2001 00:01:25 +1000 (EST)
In some email I received from Sally Floyd, sie wrote:

Having said that, maybe you should suggest a more appropriate firewall
response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
sending an ICMP parameter problem  error might be more informative. 


Yep, the next revision of the draft might try to include a suggestion
of a more appropriate response than a reset.  (Unfortunately, one
problem with ICMPs is that they might be blocked by a firewall on
the reserve path, it would seem.)


For the time being, though, wouldn't it be better to make ECN
implementations deal with TCP RSTs (as in try and resend in non-ECN mode)?


My own opinion would be that ECN implementations should be made as
robust as possible to deal with TCP RSTs, and *at the same time*
system administrators should be encouraged not to send resets in
response to Reserved flags in the TCP header.

Perhaps the next revision of the draft on "Inappropriate TCP Resets
Considered Harmful" will be more convincing.


How so ?

The purpose of sending a TCP reset is to produce a response that, to the
outsider, looks like the service is not available for whatever reason.

There are ICMP reponses (administratively prohibited) which tend to
suggest use by firewalls.

In using firewall specific responses it gives the attacker a clearer
map of what is and isn't filtered and how.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: