Interesting People mailing list archives
Re: RST packets as good network management
From: David Farber <dave () farber net>
Date: Thu, 24 Apr 2008 08:11:47 -0700
________________________________________ From: Brett Glass [brett () lariat net] Sent: Thursday, April 24, 2008 10:57 AM To: David Farber; ip Subject: For IP: RST packets as good network management At 10:18 PM 4/23/2008, Joe Touch wrote:
To inject a RST packet with an IP address that is not your endpoint is forgery, plain and simple.
As a longtime programmer, network architect, and system administrator (in other words, not just a theorist but someone who actually runs networks), I must disagree with this statement, which uses a loaded term ("forgery") and is inappropriately pejorative. Firstly, our dialup routers always send out RST packets on existing connections when a customer disconnects. This is for security and privacy. We don't want the next caller getting (possibly confidential) traffic destined for the prior one. Secondly, many routers send RST packets in response to what they see as an attack. Witness the University of Colorado students who launched a SYN flood on a Comcast network and detected lots of RST packets -- only to discover that the packets were coming from their own firewall and not from Comcast! Thirdly, network appliances have been using RST packets to terminate individual connections for many years. The WebSense appliance (which long pre-dates the Sandvine equipment which Comcast has employed) uses RST packets to control access to Web sites from a particular network or institution. If the use of such appliances were banned, it would actually conflict with Federal law (e.g. COPA) which requires their use in many situations. Finally, the ability to send RST packets in response to bad behavior (or any behavior specified by the administrator, in fact) is built into Berkeley UNIX -- the development of whose networking stack, as you may recall, was funded by DARPA. See the manual page for ipfw, the default firewall for FreeBSD, at http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html One of the actions when a firewall rule is matched is: reset Discard packets that match this rule, and if the packet is a TCP packet, try to send a TCP reset (RST) notice. The search termi- nates. ipfilter (ipf), the other standard UNIX firewall, likewise has a "return-rst" action. Linux's iptables offers "--reject-with tcp-reset". And OpenBSD's recently developed pf (packet filter) offers "block return", which sends a RST. In short, sending back a RST packet has been around for many, many years and is a standard action of a firewall. It's also important to remember that an IP address is not an identity and is not a signature. They are routinely reassigned -- often on extremely short notice -- to different users, and on our network (as in many) a large number of users' packets run through network address translation (NAT). This means that no IP address corresponds to any one user or computer. And addresses are routinely assigned via a DHCP "lease" -- in other words, they are "leased," not owned by the users. It seems to me that the inflammatory claims of forgery are merely a convenient way of attempting to convince uninformed legislators and regulators to take action against Comcast. --Brett Glass ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: RST packets as good network management David Farber (Apr 24)
- <Possible follow-ups>
- Re: RST packets as good network management David Farber (Apr 24)
- Re: RST packets as good network management David Farber (Apr 24)