NNSquad - Network Neutrality Squad
[ NNSquad ] Ignoring RSTs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <20080423205231.84FF176D11@isis.visi.com>, Craig A. Finseth
<fin@finseth.com> writes
> ...
> Without having an inline blocking mechanism (eg, ACL injection into a
> router), with the significant reliability headaches incurred, RST
> injection is the ONLY mechanism for a legitimate network policy
> enforcer to block a TCP connection.
> ...
>
>...and it will only work so long as the endpoints respect it.
>
>How long until someone patches the network driver to ignore RSTs?
already done that :) and there's even a patch for FreeBSD that looks to
see if the TTL is plausible so that you can accept the ones that are
more likely to be genuine :)
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf
>Sure, the end user might run into a few problems if they do so and
>have to manually cancel some connections, but far fewer than they will
>have if they continue to respect the RSTs.
RSTs are generally over-rated :) most things stop when they don't get
ACKs; however, it can speed up stopping flows of data, and when people
are manipulating, say, mobile IP to create DoS attacks that may be of
significant short term interest
>If _any_ network management mechanism is perceived to be at the
>expense of the user('s desire to achieve a goal), it will eventually
>be bypassed.
ignoring FINs is a bit more tricky :) but in the end you have a multi-
round game where you try and guess which packets come from the remote
end-point and which have been, more or less, expertly forged
- --
Dr Richard Clayton <richard.clayton @ cl.cam.ac.uk>
Computer Laboratory, University of Cambridge, CB3 0FD
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBSA/iSJoAxkTY1oPiEQIiswCgw0gAWqR1FwoTMDb840yXeySKqgEAnily
nvdiya5XKGYsAs76Uc12Cn9y
=ov9n
-----END PGP SIGNATURE-----