Taking the wider view, the existence of web servers or firewalls that send inappropriate resets is only one example of functionality in the Internet that restricts the future evolution of the Internet. The impact of all of these small restrictions taken together presents a considerable obstacle to the development of the Internet architecture. Issues for Transport Protocols One lesson for designers of transport protocols is that transport protocols will have to protect themselves from the unknown and seemingly arbitrary actions of firewalls, normalizers, and other middleboxes in the network.
Defensive actions on the side of transport protocols could include using Reserved flags in the SYN packet before using them in data traffic, to protect against middleboxes that block packets using those flags. It is possible that transport protocols will also have to add additional checks during the course of the connection lifetime to check for interference from middleboxes along the path.
The ECN standards document, RFC , contains an extensive discussion in Section 18 on "Possible Changes to the ECN Field in the Network", but includes the following about possible changes to the TCP header: "This document does not consider potential dangers introduced by changes in the transport header within the network.
Issues for Middleboxes Given that some middleboxes are going to drop some packets because they use functionality not allowed by the middlebox, the larger issue remains of how middleboxes should communicate the reason for this action to the end-nodes, if at all.
One suggestion, for consideration in more depth in a separate document, would be that firewalls send an ICMP Destination Unreachable message with the code "Communication Administratively Prohibited" [ B01 ]. First, middleboxes along the reverse path might block these ICMP messages.
Second, some firewall operators object to explicit communication because it reveals too much information about security policies. And third, the response of transport protocols to such an ICMP message is not yet specified. However, an ICMP "Administratively Prohibited" message could be a reasonable addition, for firewalls willing to use explicit communication.
One possibility, again to be explored in a separate document, would be for the ICMP "Administratively Prohibited" message to be modified to convey additional information to the end host. We would note that this document does not consider middleboxes that block complete transport protocols. Such a use of resets seems consistent with the semantics of TCP reset. This document is only considering the problems caused by middleboxes that block specific packets within a transport protocol when other packets from that transport protocol are forwarded by the middlebox unaltered.
One complication is that once a mechanism is installed in a firewall to block a particular functionality, it can take considerable effort for network administrators to "un-install" that block. It has been suggested that tweakable settings on firewalls could make recovery from future incidents less painful all around. Again, because this document does not address more general issues about firewalls, the issue of greater firewall flexibility, and the attendant possible security risks, belongs in a separate document.
Current Choices for Firewalls Given a firewall that has decided to drop TCP packets that use reserved bits in the TCP header, one question is whether the firewall should also send a Reset, in order to prevent the TCP connection from consuming unnecessary resources at the TCP sender waiting for the retransmit timeout.
We would argue that whether or not the firewall feels compelled to drop the TCP packet, it is not appropriate to send a TCP reset. Sending a TCP reset in response to prohibited functionality would continue the current overloading of the semantics of the TCP reset in a way that could be counterproductive all around.
As an example, Section 2. Possibly in response to this or perhaps in response to something else , some popular TCP implementations immediately resend a SYN packet in response to a reset, up to four times.
The more aggressive TCP implementations increase congestion for others, but also increase their own chances of eventually getting through. Obviously, this weakens the effectiveness of the reset when used for its original purpose, of responding to TCP packets that apparently are not intended for the current connection.
In addition to the incentive mentioned above of resending TCP SYN packets to increase one's odds of eventually getting through in a time of congestion, the TCP reset might have been due to prohibited functionality instead of congestion, so the TCP implementation might resend SYN packets in different forms to determine exactly which functionality is being prohibited. Such a continual changing of the semantics of the TCP reset could be expected to lead to a continued escalation of measures and countermeasures between firewalls and end-hosts, with little productive benefit to either side.
This is true; from the viewpoint of end- system response to messages with overloaded semantics, it would be preferable to have an explicit indication about prohibited functionality for those firewalls for some reason willing to use explicit indications.
But given a firewall's choice between sending a reset or just dropping the packet, we would argue that just dropping the packet does less damage, in terms of giving an incentive to end-hosts to adopt counter-measures.
It is true that just dropping the packet, without sending a reset, results in delay for the TCP connection in resending the SYN packet without the prohibited functionality. However, sending a reset has the undesirable longer- term effect of giving an incentive to future TCP implementations to add more baroque combinations of resending SYN packets in response to a reset, because the TCP sender can't tell if the reset is for a standard reason, for congestion, or for the prohibited functionality of option X or reserved bit Y in the TCP header.
We note that in some cases this could have unintended and undesirable consequences. The ECN specifications were not written to ensure robust operation in the presence of the arbitrary zeroing of TCP header fields within the network, because it didn't occur to the authors of the protocol at the time that this was a requirement in protocol design.
The details of these possible interactions are not crucial for this document, and are described in the appendix. However, our conclusion, both for the ECN-related flags in the TCP header and for future uses of the four other bits in the TCP Reserved field, would be that if it is required for firewalls to be able to block the use of a new function being added to a protocol, this is best addressed in the initial design phase by joint cooperation between the firewall community and the protocol designers.
Conclusions Our conclusion is that it is not conformant with current standards for a firewall, load-balancer, or web-server to respond with a reset to a TCP SYN packet simply because the packet uses flags in the TCP Reserved field. Mostly every Listening endpoint has some queue. These can be managed directly or indirectly by the application running on them. Sometimes we may specify the listening endpoint say When the client initiates a connection request to an IP address other than A buffer is a small amount of memory that holds data for a particular TCP connection.
Tuesday, September 14, Sign in. Forgot your password? Get help. Privacy Policy. Password recovery. Table of Contents. And is it possible that some router along the way is responsible for it or would this always come from the other endpoint?
Edit: There is a router specifically a Linksys WRTG sitting between my computer and the other endpoint -- is there anything I should look for in the router settings? A 'router' could be doing anything - particularly NAT, which might involve any amount of bug-ridden messing with traffic It's hard to give a firm but general answer, because every possible perversion has been visited on TCP since its inception, and all sorts of people might be inserting RSTs in an attempt to block traffic.
Some 'national firewalls' work like this, for example. Run a packet sniffer e. I've just spent quite some time troubleshooting this very problem. None of the proposed solutions worked.
Turned out that our sysadmin by mistake assigned the same static IP to two unrelated servers belonging to different groups, but sitting on the same network. The end results were intermittently dropped vnc connections, browser that had to be refreshed several times to fetch the web page, and other strange things. So if it receives FIN from the side doing the passive close in a wrong state, it sends a RST packet which indicates other side that an error has occured.
If there is a router doing NAT, especially a low end router with few resources, it will age the oldest TCP sessions first. To do this it sets the RST flag in the packet that effectively tells the receiving station to very ungracefully close the connection.
Some firewalls do that if a connection is idle for x number of minutes. Some ISPs set their routers to do that for various reasons as well. It's better to drop a packet then to generate a potentially protocol disrupting tcp reset. Resets are better when they're provably the correct thing to send But if there's any chance they're invalid then they can cause this sort of pain. In most applications, the socket connection has a timeout.
If there is no communication between the client and the server within the timeout, the connection is reset as you observe. A great example is a FTP server, if you connect to the server and just leave the connection without browsing or downloading files, the server will kick you off the connection, usually to allow other to be able to connect.
I guess this is what you are experiencing with your connection. So take a look in the server application, if that is where you get the reset from, and see if it indeed has a timeout set for the connection in the source code. Stack Overflow for Teams — Collaborate and share knowledge with a private group.
Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Ask Question. Asked 13 years ago. Active 6 months ago. Viewed k times.
0コメント