Interesting People mailing list archives

Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing

From: David Farber <dave () farber net>
Date: Wed, 23 Apr 2008 21:18:40 -0700


________________________________________
From: Joe Touch [touch () ISI EDU]
Sent: Wednesday, April 23, 2008 9:29 PM
To: David Farber
Subject: Re: [IP] Re:  :   a wise word from a long time network person -- Merccurynews report on Stanford hearing

Hi, Dave,

David Farber wrote:

________________________________________
From: Brett Glass [brett () lariat net]
Sent: Monday, April 21, 2008 9:43 PM
To: David Farber; ip
Subject: Re: [IP] Re:   a wise word from a long time network person -- Merccurynews report on Stanford hearing

At 05:42 PM 4/21/2008, Tony Lauck wrote:

...

I have no objection to Comcast's managing its network performance. My
objection has been to the *form* of Comcast's management, namely the
forging of RST packets.


My objection has been to the use of the pejorative term "forging" or
"forgery." A RST packet is a perfectly good and legitimate way of
informing the ends of a TCP socket that it is being terminated.


A RST packet is a legitimate way for the endpoints of a connection to
inform each other that a connection has reset.

To inject a RST packet with an IP address that is not your endpoint is
forgery, plain and simple. Proof of this is trivial - consider a
connection that uses IPsec to authenticate the endpoints.
Unauthenticated RSTs would be dropped before TCP processing in that
case, since they are forgeries.

If you don't want the term forgery, would you prefer any of the following:
        - spoofing
        - masquerading
        - falsifying

Or perhaps just lying.

To understand why, think about what would happen if the socket were
merely blocked by firewalling. The two sides would retry... and retry...
and retry before giving up. And by doing so, they'd congest the
network -- defeating the very purpose of terminating the socket. RST
packets, on the other hand, inform the two sides that the socket has
been terminated and there is no point in continuing to retry. Fast,
efficient, and actually better for the ends (in terms of resource
consumption) than the alternative.


You can rationalize that the net effect is the same, but that doesn't
mitigate the fact that packets were forged. If I run authentication, the
forged packets would be seen as forgeries. I would consider my system
under attack - as would an automated system - and rightly so.

Joe

-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

Current thread:

a wise word from a long time network person -- Merccurynews report on Stanford hearing David Farber (Apr 18)
- <Possible follow-ups>
- a wise word from a long time network person -- Merccurynews report on Stanford hearing David Farber (Apr 19)
- Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing David Farber (Apr 21)
- Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing David Farber (Apr 22)
- Re: a wise word from a long time network person -- Merccurynews report on Stanford hearing David Farber (Apr 23)