On Wed, Apr 21, 2004 at 01:50:28AM -0500, Mike Silbersack wrote: > > On Tue, 20 Apr 2004, Don Lewis wrote: > > > I am concerned that step C will not solve the compatibility problem. The > > FreeBSD host is sending a FIN to close an established connection, and > > the peer host adding the window size advertised in the FIN packet to the > > sequence number acknowledged in the FIN packet, and using the sum as the > > sequence number for the RST packet, which puts the sequence number at > > the end of the receive window. > > Would it be feasible for us to create a four to five element array to > track "resettable" sequence numbers? This could hold the sequence numbers > of the last few packets transmitted, and account for that edge case as > well. I'm very uneasy with the IETF step C - sending more packets out > into the network sounds like a new type of amplification attack. I'm also somewhat skeptical. Considering the attack that this is supposed to mitigate, it would probably be a good idea to implement this as a compile time option defaulting OFF at first. Those really worried about an attack (running BGP?) can utilize it, as well as those testing interoperability for awhile. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"