Browse Prior Art Database

Inappropriate TCP Resets Considered Harmful (RFC3360)

IP.com Disclosure Number: IPCOM000009262D
Original Publication Date: 2002-Aug-01
Included in the Prior Art Database: 2002-Aug-14
Document File: 20 page(s) / 47K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Floyd: AUTHOR

Abstract

This document is being written because there are a number of firewalls in the Internet that inappropriately reset a TCP connection upon receiving certain TCP SYN packets, in particular, packets with flags set in the Reserved field of the TCP header. In this document we argue that this practice is not conformant with TCP standards, and is an inappropriate overloading of the semantics of the TCP reset. We also consider the longer-term consequences of this and similar actions as obstacles to the evolution of the Internet infrastructure.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 6% of the total text.

Network Working Group                                           S. Floyd

Request for Comments: 3360                                          ICIR

BCP: 60                                                      August 2002

Category: Best Current Practice

              Inappropriate TCP Resets Considered Harmful

Status of this Memo

   This document specifies an Internet Best Current Practices for the

   Internet Community, and requests discussion and suggestions for

   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document is being written because there are a number of

   firewalls in the Internet that inappropriately reset a TCP connection

   upon receiving certain TCP SYN packets, in particular, packets with

   flags set in the Reserved field of the TCP header.  In this document

   we argue that this practice is not conformant with TCP standards, and

   is an inappropriate overloading of the semantics of the TCP reset.

   We also consider the longer-term consequences of this and similar

   actions as obstacles to the evolution of the Internet infrastructure.

1.  Introduction

   TCP uses the RST (Reset) bit in the TCP header to reset a TCP

   connection.  Resets are appropriately sent in response to a

   connection request to a nonexistent connection, for example.  The TCP

   receiver of the reset aborts the TCP connection, and notifies the

   application [RFC793, RFC1122, Ste94].

   Unfortunately, a number of firewalls and load-balancers in the

   current Internet send a reset in response to a TCP SYN packet that

   use flags from the Reserved field in the TCP header.  Section 3 below

   discusses the specific example of firewalls that send resets in

   response to TCP SYN packets from ECN-capable hosts.

   This document is being written to inform administrators of web

   servers and firewalls of this problem, in an effort to encourage the

   deployment of bug-fixes [FIXES].  A second purpose of this document

   is to consider the longer-term consequences of such middlebox

   behavior on the more general evolution of protocols in the Internet.

Floyd                    Best Current Practice                  [Page 1]

RFC 3360                Inappropriate TCP Resets             August 2002

2.  The history of TCP resets.

   This section gives a brief history of the use of the TCP reset in the

   TCP standards, and argues that sending a reset in response to a SYN

   packet that uses bits from the Reserved field of the TCP header is

   non-compliant behavior.

   RFC 793 contained the original specification of TCP in September,

   1981 [RFC793].  This document defined the RST bit in the TCP header,

   and expl...