Re: Keep state connections randomly dropped

--6lCXDTVICvIQMz0h
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2007-Mar-03 15:57:18 -0800, Darren Reed <darrenr@reed.wattle.id.au> wrot=
e:
>If you read RFC 793, the transition from "CLOSE WAIT" to "CLOSED" is 2 *
>MSL. MSL =3D 2 minutes.
>
>So the "4 minute" timeout you're seeing is correct...

My mistake. I got confused between the MSL and 2*MSL. I've raised
the issue of port re-use on the relevant FreeBSD mailing list.

>I will look into what should happen if a SYN packet for a new
>connection arrives within that 2*MSL...quite probably TCP will create
>a new connection, so IPFilter needs to do something intelligent
>here...

I'm not sure what the correct behaviour should be. There is an IETF
draft (tcpsecure) which may partially address this (though from the
opposite perspective). I've found a BSDCAN06 presentation by Mike
Silbersack which suggests that different stacks behave differently.

>Some things to toss up:
>- expunge the existing session when the new SYN packet is created and
> create a new session (this could be difficult)
>- use the first SYN packet to advance the state to closed, drop the
> packet and the state entry and wait for the next SYN packet to
> create a new connection

Of course, this should only occur if the existing state is in CLOSE
WAIT. The former approach has the advantage of not losing the SYN
packet but the latter would probably be reasonable.

--=20
Peter Jeremy

--6lCXDTVICvIQMz0h
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFF6hZD/opHv/APuIcRAhiYAJ40f183BovgH4ORIondX/eatDCHoQCgoxAs
jPSaPmYDh6nlsb/U9qvUID4=
=JWcm
-----END PGP SIGNATURE-----

--6lCXDTVICvIQMz0h--