[e2e] Receiving RST on a MD5 TCP connection.
Mitesh Dalal
mdalal at cisco.com
Mon Jun 27 12:18:40 PDT 2005
refer to
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-03.txt
Although not a standard yet, it offers a reasonable mitigation.
Thanks
Mitesh
On Mon, 27 Jun 2005, Tapan Karwa wrote:
> Hi,
>
> I was going through RFC 2385 - Protection of BGP
> Sessions via the TCP MD5 Signature Option
>
> In Section 4.1, it mentions
> "Similarly, resets generated by a TCP in response to
> segments sent on a stale connection will also be
> ignored. Operationally this can be a problem since
> resets help BGP recover quickly from peer crashes."
>
> This can easily happen in the following scenario :
> XX is talking to YY and both are using MD5. YY
> suddenly reboots but XX does not know about it yet. XX
> sends the next segment to YY with the MD5 digest but
> YY does not recognize it and hence sends a RST. Of
> course this RST segment does not have the MD5 digest.
>
> Even when XX receives the RST, it wont/cant close the
> connection since it will trash the packet as it does
> not have the MD5 digest.
>
> I was wondering if there is any solution to this
> problem. Will it be correct to accept the RST even if
> the MD5 digest is missing ? If we do that, can that
> open doors for some other attacks ?
>
> Thanks,
> tapan.
>
>
>
> ____________________________________________________
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
> http://football.fantasysports.yahoo.com
>
More information about the end2end-interest
mailing list