Re: RST packets as good network management

[David Farber <dave () farber net>]

________________________________________
From: Brett Glass [brett () lariat net]
Sent: Thursday, April 24, 2008 10:57 AM
To: David Farber; ip
Subject: For IP: RST packets as good network management

At 10:18 PM 4/23/2008, Joe Touch wrote:

> To inject a RST packet with an IP address that is not your endpoint is
> forgery, plain and simple.

As a longtime programmer, network architect, and system
administrator (in other words, not just a theorist but someone who
actually runs networks), I must disagree with this statement, which
uses a loaded term ("forgery") and is inappropriately pejorative.

Firstly, our dialup routers always send out RST packets on existing
connections when a customer disconnects. This is for security and
privacy. We don't want the next caller getting (possibly
confidential) traffic destined for the prior one.

Secondly, many routers send RST packets in response to what they
see as an attack. Witness the University of Colorado students who
launched a SYN flood on a Comcast network and detected lots of RST
packets -- only to discover that the packets were coming from their
own firewall and not from Comcast!

Thirdly, network appliances have been using RST packets to
terminate individual connections for many years. The WebSense
appliance (which long pre-dates the Sandvine equipment which
Comcast has employed) uses RST packets to control access to Web
sites from a particular network or institution. If the use of such
appliances were banned, it would actually conflict with Federal law
(e.g. COPA) which requires their use in many situations.

Finally, the ability to send RST packets in response to bad
behavior (or any behavior specified by the administrator, in fact)
is built into Berkeley UNIX -- the development of whose networking
stack, as you may recall, was funded by DARPA. See the manual page
for ipfw, the default firewall for FreeBSD, at

http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html

One of the actions when a firewall rule is matched is:

      reset  Discard packets that match this rule, and if the packet is a TCP
              packet, try to send a TCP reset (RST) notice.  The search termi-
              nates.

ipfilter (ipf), the other standard UNIX firewall, likewise has a
"return-rst" action.
Linux's iptables offers "--reject-with tcp-reset". And OpenBSD's
recently developed pf (packet filter) offers "block return", which sends a RST.

In short, sending back a RST packet has been around for many, many
years and is a standard action of a firewall.

It's also important to remember that an IP address is not an
identity and is not a signature. They are routinely reassigned --
often on extremely short notice -- to different users, and on our
network (as in many) a large number of users' packets run through
network address translation (NAT). This means that no IP address
corresponds to any one user or computer. And addresses are
routinely assigned via a DHCP "lease" -- in other words, they are
"leased," not owned by the users.

It seems to me that the inflammatory claims of forgery are merely a
convenient way of attempting to convince uninformed legislators and
regulators to take action against Comcast.

--Brett Glass




-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com