RFC 1337 (rfc1337) - Page 2 of 11

TIME-WAIT Assassination Hazards in TCP

RFC 1337                 TCP TIME-WAIT Hazards                  May 1992


        For "short and slow" connections [RFC-1185], the clock-driven
        ISN (initial sequence number) selection prevents the overlap of
        the sequence spaces of the old and new incarnations [RFC-793].
        (The algorithm used by Berkeley BSD TCP for stepping ISN
        complicates the analysis slightly but does not change the
        conclusions.)

   (4)  TIME-WAIT state removes the hazard of old duplicates for "fast"
        or "long" connections, in which clock-driven ISN selection is
        unable to prevent overlap of the old and new sequence spaces.
        The TIME-WAIT delay allows all old duplicate segments time
        enough to die in the Internet before the connection is reopened.

   (5)  After a system crash, the Quiet Time at system startup allows
        old duplicates to disappear before any connections are opened.

   Our new observation is that (4) is unreliable: TIME-WAIT state can be
   prematurely terminated ("assassinated") by an old duplicate data or
   ACK segment from the current or an earlier incarnation of the same
   connection.  We refer to this as "TIME-WAIT Assassination" (TWA).

   Figure 1 shows an example of TIME-WAIT assassination.  Segments 1-5
   are copied exactly from Figure 13 of RFC-793, showing a normal close
   handshake.  Packets 5.1, 5.2, and 5.3 are an extension to this
   sequence, illustrating TWA.   Here 5.1 is *any* old segment that is
   unacceptable to TCP A.  It might be unacceptable because of its
   sequence number or because of an old PAWS timestamp.  In either case,
   TCP A sends an ACK segment 5.2 for its current SND.NXT and RCV.NXT.
   Since it has no state for this connection, TCP B reflects this as RST
   segment 5.3, which assassinates the TIME-WAIT state at A!





















Braden