David S. Miller writes:
> From: Ulrich Kiermayr <[EMAIL PROTECTED]>
> <quote>
> Reserved: 6 bits
>
> Reserved for future use. Must be zero.
> </quote>
>
> The point is: 'must be zero' is redefined by rfc2481 (ECN).
>
> The authors of rfc793 probably, in all honesty, really meant
> "must be set to zero by current implementations".
>
> Even though they did not say this, several pages later they bestow
> upon us the concept of being liberal in what one accepts. Perhaps
To be "liberal in what one accepts" you get rid of firewalls.
The whole point of a firewall is to be conservative.
> sites which RST these ECN carrying packets are the ones which disturb
> me the most, in the Cisco PIX case does the firewall send a reset
So, how would properly written pre-ECN software indicate
rejection of packets with the unknown ECN flag?
> That's a really anal, zero purpose, check to put into a firewall.
> I don't know of even any embedded printer stacks that puke when
> the reserved flag bits are non-zero. The only things this protects
> anyone from are extensions such as ECN :-)
Who knows what attacks might be done with future extensions?
Your firewall is buggy if it passes strange packets.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
