[e2e] Receiving RST on a MD5 TCP connection.

Joe Touch touch at ISI.EDU
Thu Jun 30 11:11:41 PDT 2005


See http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcp-antispoof-01.txt

This includes a summary of the issues, and alternate approaches.

Joe

Tapan Karwa wrote:
> Hi,
> 
> I was going through RFC 2385 - Protection of BGP
> Sessions via the TCP MD5 Signature Option
> 
> In Section 4.1, it mentions 
> "Similarly, resets generated by a TCP in response to
> segments sent on a stale connection will also be
> ignored. Operationally this can be a problem since
> resets help BGP recover quickly from peer crashes."
> 
> This can easily happen in the following scenario :
> XX is talking to YY and both are using MD5. YY
> suddenly reboots but XX does not know about it yet. XX
> sends the next segment to YY with the MD5 digest but
> YY does not recognize it and hence sends a RST. Of
> course this RST segment does not have the MD5 digest.
> 
> Even when XX receives the RST, it wont/cant close the
> connection since it will trash the packet as it does
> not have the MD5 digest.
> 
> I was wondering if there is any solution to this
> problem. Will it be correct to accept the RST even if
> the MD5 digest is missing ? If we do that, can that
> open doors for some other attacks ?
> 
> Thanks,
> tapan.
> 
> 
> 		
> ____________________________________________________ 
> Yahoo! Sports 
> Rekindle the Rivalries. Sign up for Fantasy Football 
> http://football.fantasysports.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050630/05d6903d/signature.bin


More information about the end2end-interest mailing list