On Sat, Jun 21, 2008 at 09:12:22AM +0900, Ryan McBride wrote: > On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > > > So to say it even more plainly... anywhere you are forced to deal with > > asymetric routing you can use sloppy state in place of not having any > > stateful option. Would that be a fair statement? > > It's a fair statement if by 'forced' you mean, 'compelled beyond your > control, with no other options, having fully understood the consequences > and informed all relevant parties of the risks involved'. This > "feature" is NOT a substitute for good network design. > > sloppy state performs basically NO security checks on the TCP stream; > more importantly the TCP state tracking is extremely loose and it's > trivial for an attacker to spoof creation of "fully-established" TCP > connections, which will not time out for an extremely long time, filling > your state table and blocking legitimate traffic. It's dangerous.
Yes, that is what I meant. Thanks for saying it so much better. :) -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
