Now
netbsd-8 commitmail json YAML
Pull up following revision(s) (requested by maxv in ticket #662):
sys/netinet/tcp_input.c: revision 1.383 (via patch)
Revert rev1.183 (2003).
It was intended as an optimization, but it increases the attack surface:
the IPsec policy is not enforced on RST packets when the socket is in the
LISTEN state, and an (unauthenticated) attacker could jam the connection
between two IPsec hosts by sending RST packets between the client's SYN
and ACK packets.
Discussed with ozaki-r@.
sys/netinet/tcp_input.c: revision 1.383 (via patch)
Revert rev1.183 (2003).
It was intended as an optimization, but it increases the attack surface:
the IPsec policy is not enforced on RST packets when the socket is in the
LISTEN state, and an (unauthenticated) attacker could jam the connection
between two IPsec hosts by sending RST packets between the client's SYN
and ACK packets.
Discussed with ozaki-r@.