Hi,

I came across the following in the release notes of 6.0 recently:

"The RST handling of the FreeBSD TCP stack has been improved to make reset attacks as difficult as possible while maintaining compatibility with the widest range of TCP stacks. (...) Note that this behavior technically violates the RFC 793 specification; the conventional (but less secure) behavior can be restored by setting a new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]"

This means that the default, unconfigured FreeBSD TCP implementation is no longer RFC-conformant, which has always been one of its advantages over competing systems. Although I agree that the modification can be useful in some specific setups, making it the default at this time appears hasty. The IETF's tcpm working group is evaluating mechanisms for RST processing, and one will likely move to standards track in the future.

Thus, I'd like to suggest that the default for net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod came disabled be default in the past, too.

Lars
--
Lars Eggert                                     NEC Network Laboratories

Reply via email to