Actuator Profile SC,
I am attempting to resolve comments in the SLPF. Please refer to section 2.1.3.2 SLPF Args'
Currently we have an argument called 'drop_process' that is optional for the Deny command. There are three possible values
- The default is 'none' which means the filter drops the packet and nothing else
- The 'reject' option means that the filter drops the packet then sends an ICMP host unreachable (or equivalent) to the source address
- The 'false_ack' option means that the filter drops the packet then sends an acknowledgement to the source address indicating that the data made it to the destination address (though it was dropped)
The comment was " Does this option make sense for a stateless packet filter? TCP is stateful (connection-oriented), and a stateless filter cannot acknowledge that a connection was established or data was received. "
My response was " IN the academic sense of the word, no.
From a pragmatic point of view, there are high speed filters that send false acks that are not 'stateful' in the sense of deep packet inspection, analysis of layer five (session layer) etc. I will grant that they do have to maintain a running total of
all the bytes that the source address sent so 'crosses' the stateless 'threshold', but these are simple high speed filters.
I tend toward pragmatic. Still a simple high speed filter and we should support (and we are talking about a single setting on a single OPTIONAL) "
I do know that there are high speed filters that are deployed today with this capability. I do not know how widely false acks are used.
Let me know what you think. I do not intend to dig my heels on this one but tend toward supporting current capabilities.
VR
Joe B