tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC1948



Hi,

Just happened to see this one.

Note: a randomized ISN is better in terms of security, but may result in connection establishment failures (see the RFC6528).

TL;DR; BSD have an optiomization where a new incarnation of a previous connection is created if the four-tuple (src addr, dst addr, src port, dst port) is the same as that of the previous incarnation, but the ISN of the new incarnation is larger than the last SEQ seen in the previous incarnation for that direction of the connection.

IOW "if the same four tuple is employed for the new connection, the connection will nevertheless succeed if the ISN of the new connection is larger than the SEQ of the previous connection2.

Cheers,
Fernando
(who happens to be a co-author of RFC6528 :-) )


On 8/3/21 18:00, Jason Thorpe wrote:
RFC6528 is standards-track:

	https://www.rfc-editor.org/info/rfc6528

...so why this change instead?

On Mar 8, 2021, at 10:17 AM, Christos Zoulas <christos%netbsd.org@localhost> wrote:

Module Name:	src
Committed By:	christos
Date:		Mon Mar  8 18:17:27 UTC 2021

Modified Files:
	src/sys/netinet: tcp_input.c tcp_subr.c tcp_usrreq.c tcp_var.h

Log Message:
Remove the unused "addin" argument (it was always 0) and go back using
a random iss by default (instead of rfc1948)


To generate a diff of this commit:
cvs rdiff -u -r1.427 -r1.428 src/sys/netinet/tcp_input.c
cvs rdiff -u -r1.286 -r1.287 src/sys/netinet/tcp_subr.c
cvs rdiff -u -r1.228 -r1.229 src/sys/netinet/tcp_usrreq.c
cvs rdiff -u -r1.194 -r1.195 src/sys/netinet/tcp_var.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


-- thorpej




--
Fernando Gont
SI6 Networks
e-mail: fgont%si6networks.com@localhost
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






Home | Main Index | Thread Index | Old Index