From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Fri, 15 Mar 2002 23:40:21 +0000 (GMT)
> Ignoring valid RST frames breaks TCP.
If they don't have the right MD5 frame they are not valid.
If there is an error in the network stack there is no way for
a remote TCP to fix things. Making RST frames more complex
guarentees that more error conditions will not be broken out of.
A RST must, in order to function properly, be as simple and non-error
prone as possible. MD5 signatures are totally against that.
This is why PAWS timestamp, etc. checks are DISABLED for RST frames.
Only the sequence number is verified, but that is it.
IPSEC has a lot more going for it, but most cisco's still only
support the MD5 stuff.
I frankly don't care what Cisco's do or do not do.
I don't care if Cisco made a rotten decision. I'm not going to let
Cisco's mistakes crap up Linux's networking.
Either use IPSEC or fix its' deficiencies.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Mar 15 2002 - 22:00:22 EST