(I'm redirecting this back to freebsd-net, as it doesn't seem appropriate for bugtraq.)
I did some quick investigation last night, and agree with Phil that this is a bug. When the syncache was implemented, only a subset of the normal tcp output code was copied over for the purpose of sending syn-acks. One part of the code that was not moved over was the part that determines when the DF and tos bits are set. I also agree with Mikael that this isn't an important issue, given that syn-ack packets are quite tiny. Nonetheless, I will commit a fix in the next few days. However, it's too late to MFC it in time for 4.6-release. Phil: In the future, please try a bit harder to notify someone if you believe that a bug is serious enough for posting to bugtraq. freebsd-net is a relatively busy list, and things do get missed. Mike "Silby" Silbersack On Tue, 11 Jun 2002, Mikael Olsson wrote: > > Phil Dibowitz wrote: > > > > [FreeBSD doesn't set DF in SYN/ACK] > > > > I don't consider this a big security hole, but it is a bug. It could > > be used to do TCP fingerprinting, and it also breaks a standard > > Is this really a bug? I wouldn't be so sure. What is the purpose of > setting DF in a SYN/ACK segment ? It's not like it can react to > returned ICMP errors and decrease the size of segment (only 40 bytes > of IP and TCP header and a few options). > > I'd even argue that it's a feature. If something has an MTU that > is so small that it can't pass TCP segments without data, there's > nothing to be done about it, and you should let fragmentation occur. > > > The fingerprinting point is sort of valid, I guess. However, since > there are already BSD boxes out there doing this, the fingerprint > value would be even greater (the fingerprint match more narrow) if > one were to change it now. > > -- > Mikael Olsson, Clavister AB > Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 > Fax: +46 (0)660 122 50 WWW: http://www.clavister.com > > "Senex semper diu dormit" > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
