Hi David,
On Fri, Jun 10, 2005 at 03:42:48PM -0700, David S. Miller wrote:
> From: Willy TARREAU <[email protected]>
> Date: Sat, 11 Jun 2005 00:26:45 +0200
>
> > It is documented in RFC793 (p30) as the simultaneous connection initation
> > from 2 clients, although this mode has never been implemented by any
> > mainline OS (to my knowledge) as it has no real use and poses security
> > problems (eases spoofing a lot).
>
> BSD (and thus BSD derivatives) and Linux have has it since
> day one.
Indeed, I've just managed to reproduce the full test with two different
addresses as it's described in p30. I never succeeded to do it before,
perhaps I did not try it the right way. To achieve this, I had to run two
programs doing while(connect()<0). I agree that on high latency networks,
it may make sense to support the feature (eg: mars-earth file transfers).
But on regular uses, I think it's more a problem than a feature, because
it allows any third party to prevent a normal connection establishment
by only knowing the source and destination, which are sometimes easily
guessable (eg: BGP between routers) :
| A connects to B, C tries to block them by sending lots of SYN at
| intervals smaller than the latency between A and B, eg 200/s for
| a 10 ms latency.
A B (or C)
---------------+--------------------------------
<- SYN(SEQ=200) (C sends blind SYN)
<- SYN(SEQ=200) (C sends blind SYN)
SYN(SEQ=100) -> ...
<- SYN(SEQ=200) (C sends blind SYN)
SYN(SEQ=101,ACK=201) -> (A acknowledges C's SYN)
<- SYN(SEQ=300,ACK=101) (B acknowledges A's SYN)
RST(SEQ=102,ACK=301) -> (A rejects B's SYN/ACK)
<- RST(SEQ=201,ACK=102) (B rejects A's SYN/ACK)
Maybe it would be useful to have a sysctl option allowing us to disable
this behaviour when it can haev security implications ?
Also, I often test firewalls for such features and never found any one
which allows this. To be more precise, only a previous implementation of
the tcp-window-tracking in Netfilter allowed this but it opened a security
breach that we had to resolve with Jozsef, as it allowed the client to
establish a session by sending the SYN-SYN/ACK-ACK itself...
> I guess it depends upon your definition of
> "mainline OS". :-)
It does not depend on my definition, but on my knowledge, as I put the
condition in the initial mail that you quoted above :-)
Cheers,
Willy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]