On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > So to say it even more plainly... anywhere you are forced to deal with > asymetric routing you can use sloppy state in place of not having any > stateful option. Would that be a fair statement?
It's a fair statement if by 'forced' you mean, 'compelled beyond your control, with no other options, having fully understood the consequences and informed all relevant parties of the risks involved'. This "feature" is NOT a substitute for good network design. sloppy state performs basically NO security checks on the TCP stream; more importantly the TCP state tracking is extremely loose and it's trivial for an attacker to spoof creation of "fully-established" TCP connections, which will not time out for an extremely long time, filling your state table and blocking legitimate traffic. It's dangerous.
