lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Oct 2008 10:59:25 +0300 From: "Rémi Denis-Courmont" <rdenis@...phalempin.com> To: "ext Willy Tarreau" <w@....eu> Cc: Stephen Hemminger <shemminger@...tta.com>, netdev@...r.kernel.org Subject: Re: [PATCH] add a sysctl to disable TCP simultaneous connection opening On Friday 10 October 2008 00:42:24 ext Willy Tarreau, you wrote: > On Thu, Oct 09, 2008 at 07:21:03PM +0300, Rémi Denis-Courmont wrote: > > Le mercredi 8 octobre 2008 14:54:02 Stephen Hemminger, vous avez écrit : > > > Does this break NAT traversal via STUNT used by applications like > > > Skype? > > > > This will break the main ICE-TCP mechanism (IETF > > draft-ietf-mmusic-ice-tcp). I am not aware of any application using this > > _as_of_now_. Probably too many NAT and firewall implementations will > > reject it already. And then, some TCP stacks reportedly do not support it > > (e.g. Windows before Vista). > > And opening this through firewalls would be too much dangerous as it would > allow servers to reconnect outside, pretty much defeating the initial > purpose of the firewall. Duh? If you require a SYN from the outside to the server, before you allow the server to send either SYN or SYN/ACK, I fail to see the problem. > > On the other hand, if someone were to tunnel/encapsulate TCP over UDP, > > this could actually be useful - think about peer-to-peer NATted-to-NATted > > file transfers for instance. > > This is already possible using netcat. You can force both ports. It has no > flow control but would be enough to chat or transfer small config files. Files transfer over UDP? Come on. I won't restart the UDP sendfile discussion. -- Rémi Denis-Courmont -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists