Re: ECN & cisco firewall

From: Ulrich Kiermayr (kie@thp.univie.ac.at)
Date: Fri Sep 08 2000 - 05:24:34 EST

Next message: Andi Kleen: "Re: ECN & cisco firewall"
Previous message: David Woodhouse: "Re: [RFC] Wine speedup through kernel module"
In reply to: David S. Miller: "Re: ECN & cisco firewall"
Next in thread: Andi Kleen: "Re: ECN & cisco firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 8 Sep 2000, David S. Miller wrote:

> The authors of rfc793 probably, in all honesty, really meant
> "must be set to zero by current implementations".

Thats often the problem when interpretations are possible: Different
people see the meaning differently.

> Even though they did not say this, several pages later they bestow
> upon us the concept of being liberal in what one accepts. Perhaps
> Cisco PIX firewall engineers missed this paragraph. :-) Also, there
> is not one part of the packet parsing steps they describe which says
> "if any reserved flag bits are non-zero, drop packet" or "reset" (the
> sites which RST these ECN carrying packets are the ones which disturb
> me the most, in the Cisco PIX case does the firewall send a reset
> back?).

In case i havent sayed this clearly enough: It seems after several
tests: the PIX itself sent the RST (blocking the connection) instead of
letting the SYN pass to the actual host (behind the firewall)

> That's a really anal, zero purpose, check to put into a firewall.
> I don't know of even any embedded printer stacks that puke when
> the reserved flag bits are non-zero. The only things this protects
> anyone from are extensions such as ECN :-)

Yeah, but we will see what cisco has to say about that....

LL&P Ulrich

-- 
,-,  .-.,----,---------------------------------------------------------------
| | / / |,---' Ulrich Kiermayr    Inst. for Theoret. Physics, Univ. of Vienna
| |/ /| ||_     eMail: kie@thp.univie.ac.at            PGP Key ID: 0xA8D764D8 
|   ( | | _:    ICQ: 17858333           Web: http://www.thp.univie.ac.at/~kie
| |\ \| ||     @Home: Dampierrestr. 4/5, A-1140 Vienna;      +43(699)19671909
| | \ \ |`---, @Work: Boltzmanngasse 5, A-1090 Vienna;       +43(1)4277/51555
`-'  `-''----'---------------------------------------------------------------
System going down at 5 this afternoon to install scheduler bug.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: ECN & cisco firewall"
Previous message: David Woodhouse: "Re: [RFC] Wine speedup through kernel module"
In reply to: David S. Miller: "Re: ECN & cisco firewall"
Next in thread: Andi Kleen: "Re: ECN & cisco firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:10 EST