On Thu, Feb 7, 2013 at 10:39 AM, Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx> wrote: > On Thu, 7 Feb 2013 09:52:40 -0800 > Kees Cook <keescook@xxxxxxxxxxxx> wrote: > >> This is based on Willy Tarreau's patch from 2008[1]. The goal is to >> close a corner-case of TCP that isn't used and poses a small DoS risk. >> For systems that do not want to take any risk at all, this is a desirable >> configuration knob. >> >> It is possible for two clients to connect with crossed SYNs without >> checking sequence numbers. As such, it might be possible to guess a source >> port number to block a system from making connections to well-known >> ports and IP addresses (e.g. auto-update checks) without requiring a >> MiTM position. >> > > This patch probably also breaks TCP STUNT that is used by some applications for NAT > traversal. The patch would not break it -- it defaults the sysctl to staying enabled. If you mean the documentation should be updated, sure, that's easy to do. David: I know you aren't a fan of this patch, but I'd like to try to convince you. :) This leaves the feature enabled and add a toggle for systems (like Chrome OS) that don't want to risk this DoS at all. There are so very many other toggle, I don't see why this one would be a problem to add. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
