On Thu, 22 Apr 2004, Darren Reed wrote: > > Are you suggesting that we use the strict check during the ESTABLISHED > > phase, and the window-wide check during all other phases? > > Possibly :) > > I don't think it is important for session setup, but at the end of a > session, you generally want it to disappear from your connection table > sooner rather than later, right ? > > Furthermore, you're more likely to get a RST after a FIN has been > sent, by either party, if you send another ACK because the other > guy has decided to remove the socket already. Does this make > sense ? Yep, that makes sense. It would be very simple to implement as well. :) > Although this makes me wonder, what's the implication here for FIN > packets - is there none ? The draft refers to SYNs (which do get > special treatment) and RSTs (just more violent FIN packets.) > > If someone injects a FIN packet the way they would have done a RST, > what are the implications ? > Does a packet storm ensue ? > Does the FIN get ignored ? > Do FIN packets also need to be challenge-responsed now ? > > Darren I think that the third section of the draft covers this case when it talks about checking the sequence numbers in both directions for packets. Looks like we have a lot of testing to do. :| Mike "Silby" Silbersack _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"