Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: Inappropriate TCP Resets Considered Harmful
From: Ben Nagy <ben.nagy () marconi com au>
Date: Fri, 11 May 2001 12:00:52 +1000

OK, I'll bite.

I'm mainly of the opinion that ECN is experimental, and sends
non-RFC-compliant datagrams. I think that any firewalls that pass ECN
enabled TCP without being explicitly configured to do so aren't doing their
job properly.

I think your reading of the RFC is flawed, by the way. RFC 793 does NOT
"explicitly forbid" sending RSTs in response to malformed packets. A RST is
the appropriate response from a "CLOSED" TCP listener. I think it's quite
understandable that a firewall chooses to treat ports as closed for
malformed packets.

Having said that, maybe you should suggest a more appropriate firewall
response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
sending an ICMP parameter problem  error might be more informative. That
will still abort your prospective TCP connection, though. Would the ECN TCP
stacks cope better with this?

For the time being, though, wouldn't it be better to make ECN
implementations deal with TCP RSTs (as in try and resend in non-ECN mode)?
Once ECN becomes an RFC and those reserved bits get "officially" assigned,
people are much more likely to be sympathetic. If an experimental protocol
needs to break the RFCs for it to work, then don't whine when it doesn't.
What part of MUST BE ZERO isn't clear? ;)


Ben Nagy
Devil's Advocate
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304 

-----Original Message-----
From: Sally Floyd [mailto:floyd () aciri org]
Sent: Wednesday, May 09, 2001 1:35 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Inappropriate TCP Resets Considered Harmful

I am new to this mailing list, but I wanted to point people here
to a new internet-draft of mine on "Inappropriate TCP Resets 
Harmful", at 
which argues that firewalls should not send TCP Resets (RST) 
in response
to TCP SYN packets that contain flags in the TCP Reserved field.

(Of 24,000 or so web servers that we tested as part of the 
TBIT project, 
only 300 or so were behind firewalls that send TCP resets in 
this case,
so clearly most of the world seems to be maintaining 
reasonably adequate
security without sending TCP Resets in this case.)

I just learned of this mailing list, so I thought that, as long as
I was writing something directed in part at firewall behavior, I
would send it to this list for feedback.

- Sally
firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]