[e2e] Receiving RST on a MD5 TCP connection.
mdalal at cisco.com
Mon Jun 27 12:18:40 PDT 2005
Although not a standard yet, it offers a reasonable mitigation.
On Mon, 27 Jun 2005, Tapan Karwa wrote:
> I was going through RFC 2385 - Protection of BGP
> Sessions via the TCP MD5 Signature Option
> In Section 4.1, it mentions
> "Similarly, resets generated by a TCP in response to
> segments sent on a stale connection will also be
> ignored. Operationally this can be a problem since
> resets help BGP recover quickly from peer crashes."
> This can easily happen in the following scenario :
> XX is talking to YY and both are using MD5. YY
> suddenly reboots but XX does not know about it yet. XX
> sends the next segment to YY with the MD5 digest but
> YY does not recognize it and hence sends a RST. Of
> course this RST segment does not have the MD5 digest.
> Even when XX receives the RST, it wont/cant close the
> connection since it will trash the packet as it does
> not have the MD5 digest.
> I was wondering if there is any solution to this
> problem. Will it be correct to accept the RST even if
> the MD5 digest is missing ? If we do that, can that
> open doors for some other attacks ?
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
More information about the end2end-interest