[e2e] Receiving RST on a MD5 TCP connection.

Tapan Karwa tapankarwa at yahoo.com
Mon Jun 27 12:02:12 PDT 2005


I was going through RFC 2385 - Protection of BGP
Sessions via the TCP MD5 Signature Option

In Section 4.1, it mentions 
"Similarly, resets generated by a TCP in response to
segments sent on a stale connection will also be
ignored. Operationally this can be a problem since
resets help BGP recover quickly from peer crashes."

This can easily happen in the following scenario :
XX is talking to YY and both are using MD5. YY
suddenly reboots but XX does not know about it yet. XX
sends the next segment to YY with the MD5 digest but
YY does not recognize it and hence sends a RST. Of
course this RST segment does not have the MD5 digest.

Even when XX receives the RST, it wont/cant close the
connection since it will trash the packet as it does
not have the MD5 digest.

I was wondering if there is any solution to this
problem. Will it be correct to accept the RST even if
the MD5 digest is missing ? If we do that, can that
open doors for some other attacks ?


Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 

More information about the end2end-interest mailing list