On Wed, 27 Jun 2001, Glenn Johnson wrote:
> On Wed, Jun 27, 2001 at 03:00:31PM -0500, Mike Silbersack wrote:
>
> > It's a feature, not a bug. :)
> >
> > Since everyone's on vacation and we can't switch generation schemes
> > right now, I've e-mailed kris and asked if he objects to me adding a
> > sysctl which switches between the current and old generation schemes.
> > If he says it's ok, I'll commit it soon and those affected will be
> > able to use the old generation scheme.
>
> That would be great. What would be the negatives to using the old
> generation scheme?
>
> Thanks.
>
> --
> Glenn Johnson
The old scheme is possibly vulnerable to spoofing attacks, and has been
proven to be vulnerable to connection resetting attacks. See Tim
Newsham's paper on this at guardent.com (I'm not sure of the exact url.)
It's unlikely that you'd see people abusing those weaknesses, but the
default has changed to make sure it can't happen.
A scheme which provides proper operation of TIME_WAIT and a high level of
attack resistance will be in place by the time 4.4 comes out; which scheme
that is is still up for debate. :)
Mike "Silby" Silbersack
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
