Re: ECN & cisco firewall

From: Albert D. Cahalan (acahalan@cs.uml.edu)
Date: Fri Sep 08 2000 - 13:57:32 EST


David S. Miller writes:
> From: Ulrich Kiermayr <kie@thp.univie.ac.at>

> <quote>
> Reserved: 6 bits
>
> Reserved for future use. Must be zero.
> </quote>
>
> The point is: 'must be zero' is redefined by rfc2481 (ECN).
>
> The authors of rfc793 probably, in all honesty, really meant
> "must be set to zero by current implementations".
>
> Even though they did not say this, several pages later they bestow
> upon us the concept of being liberal in what one accepts. Perhaps

To be "liberal in what one accepts" you get rid of firewalls.
The whole point of a firewall is to be conservative.

> sites which RST these ECN carrying packets are the ones which disturb
> me the most, in the Cisco PIX case does the firewall send a reset

So, how would properly written pre-ECN software indicate
rejection of packets with the unknown ECN flag?

> That's a really anal, zero purpose, check to put into a firewall.
> I don't know of even any embedded printer stacks that puke when
> the reserved flag bits are non-zero. The only things this protects
> anyone from are extensions such as ECN :-)

Who knows what attacks might be done with future extensions?
Your firewall is buggy if it passes strange packets.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:11 EST