Skip to content

Latest commit

 

History

History
45 lines (38 loc) · 6.29 KB

README.md

File metadata and controls

45 lines (38 loc) · 6.29 KB

Handling of TCP Segments with the RST-bit Set in the LAST-ACK State

Description

This set of tests focuses on the handling of RST-segments in the LAST-ACK state.

RFC 0793 requires RST-segments to be accepted if and only if RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND holds.

For mitigating blind attacks, RFC 5961 requires the RST-segments only to be accepted if and only if RCV.NXT = SEG.SEQ holds. In case of RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND, a challenge ACK has to be sent.

In FreeBSD, the sysctl-variable net.inet.tcp.insecure_rst can be used to select if procedures described in RFC 0793 or RFC 5961 are followed. The default is to follow RFC 5961.

Status

Name Result FreeBSD 11.0 Result FreeBSD Head
rcv-rst-last-ack-outside-left-secure-ipv4 Unknown Passed
rcv-rst-last-ack-outside-left-secure-ipv6 Unknown Passed
rcv-rst-last-ack-left-edge-secure-ipv4 Unknown Passed (Note 1)
rcv-rst-last-ack-left-edge-secure-ipv6 Unknown Passed (Note 1)
rcv-rst-last-ack-right-edge-secure-ipv4 Unknown Passed
rcv-rst-last-ack-right-edge-secure-ipv6 Unknown Passed
rcv-rst-last-ack-outside-right-secure-ipv4 Unknown Passed
rcv-rst-last-ack-outside-right-secure-ipv6 Unknown Passed
rcv-rst-last-ack-outside-left-insecure-ipv4 Unknown Passed
rcv-rst-last-ack-outside-left-insecure-ipv6 Unknown Passed
rcv-rst-last-ack-left-edge-insecure-ipv4 Unknown Passed (Note 1)
rcv-rst-last-ack-left-edge-insecure-ipv6 Unknown Passed (Note 1)
rcv-rst-last-ack-right-edge-insecure-ipv4 Unknown Passed (Note 1)
rcv-rst-last-ack-right-edge-insecure-ipv6 Unknown Passed (Note 1)
rcv-rst-last-ack-outside-right-insecure-ipv4 Unknown Passed
rcv-rst-last-ack-outside-right-insecure-ipv6 Unknown Passed

Notes

  1. In CLOSING or LAST-ACK state after receipt of an acceptable RST-segment the SO_ERROR socket options returns 0 instead of ECONNRESET (the same works in CLOSE-WAIT). TCP/IP Illustrated, page 964, states that no error is signalled to the process, "since the process has closed the socket". This argument covers CLOSING, LAST-ACK, and TIME-WAIT. However, the state can be reached by calling shutdown(..., SHUT_WR) and therefore the appication can still be notified in CLOSING and LAST-ACK state. Fixed in r308745 (D8371).