[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFILTER handling of inbound connectsion where the ACK for the SYN-ACK
From:       Jean De Boysson <Jean.De.Boysson () morganstanley ! com>
Date:       2004-04-13 16:47:01
Message-ID: 407C1985.5CE4D2B3 () morganstanley ! com
[Download RAW message or body]

This is an interesting case where connection negotiation between both
endpoints can not be completed because of the lost the third fame (the
ACK for SYN-ACK) in transit.

Consider the following session start

Frame
1        Sender      SYN              Seq =0 Ack = 0
2        Recvr        SYN-ACK    Seq =0 Ack =1 (with 24K Window
advertisement)
3        Sender      ACK              Seq =1 Ack =1 (this packet is
lost)
4        Sender      PSH-ACK     Seq =1 Ack =1 Length = 9 bytes (Next
Seq would = 10)
5        Sender      PSH-ACK     Retransmits the above frame # 4 (same
Seq and Ack value)
6        Recvr        SYN-ACK    Retransmits the SYN ACK from frame # 2
(Seq = 0 Ack = 1)
7        Sender      ACK              Seq = 10 Ack = 1 Lenght = 0 (no
data in this packet, but Seq indicate data sent/outstanding)
8        Sender      PSH-ACK     Retransmits the above frame #4 2nd time
(same Seq and Ack value)
9        Recvr        SYN-ACK    Retransmits the SYN ACK from frame #2
(Seq =0 Ack =1)
From here we simply loop back to frame 7,8,9 repeatedly until the sender
ReSeTs the connection after 8 retranmissions of Frame #4 have failed to
be acknowledged.

From looking at the timings, the retransmission of the SYN - ACK is in
step with exponential backoff and not in response to missing data.  We
conclude that all sender packets after the initial SYN are being blocked
from reaching the receivers TCP stack.

The question here is
1) Is IPFilter blocking (bld 3.4.33 pre 1) the connection because the
ACK for the SYN - ACK is not a "bare" ACK (Seq =1 Ack =1) with no data
or PSH bit set?

2) If answer to 1 is yes, can IPFilter be configured to permit a
connection to complete the three way handshake when only receiving frame
#4 or #6?

3) If answer to 1 is yes, if frame 7 was a bare ACK (Seq =1 and Ack =1)
would IPFilter have allowed this connection to fully establish (at both
ends) and continue?

Thanks









--
NOTICE: If received in error, please destroy and notify sender.  Sender
does not waive confidentiality or privilege, and use is prohibited.


[prev in list] [next in list] [prev in thread] [next in thread]