This is the mail archive of the
ecos-discuss@sourceware.org
mailing list for the eCos project.
Re: SYN problem with new TCP/IP stack
On 2006-02-12, Andrew Lunn <andrew@lunn.ch> wrote:
> For things like this i generally go back to the FreeBSD
> sources and study them.
I was thinking about doing that -- but I hadn't gotten around
to finding them yet.
> I don't see anything in the latest code which indicates that
> this "problem" has been fixed. Im actually woundering if this
> is deliberate.
If it is, it's violating the RFC. The RFC describes the exact
"problem" I'm seeing (a host being rebooted and attempting to
re-open an "already open" connection). The RFC specifies the
solution.
> It looks like some firewalls will block SYN packets to
> established connections:
>
> http://www.checkpoint.com/appint/appint_transport_layer.html
>
> It seems to me the ACK reply is a bad idea. It provides an
> attacker with the sequence number and so allows it to hijack
> the connection.
But if you don't do it, a host that's been rebooted can't
re-establish a connection. I think security enahancements that
violate the RFC and break existing systems ought to be socket
options that are disabled by default.
> Having said that, it looks like Linux 2.6.15 will send an ACK.
>
> So, well, err. I think you should take this up with the
> FreeBSD people. Find out if they think this is a bug or a
> security feature.
Regardelss of whether they think it's a bug or not, I've got to
fix it in eCos's TCP stack. My customers have systems that
worked with the old TCP stack and don't work with the new one.
--
Grant Edwards grante Yow! ... I want a COLOR
at T.V. and a VIBRATING BED!!!
visi.com
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss