topic Re: RFC 7413 TCP fast open in General Topics

TCP Fast Open

pnorman821 — Fri, 20 Dec 2019 12:08:05 GMT

Hi,

I have recently been doing some research into the experimental TCP mechanism called 'TCP Fast Open'. I wondered how Checkpoint deals with this traffic? Does the traffic get dropped because it does not comply with the TCP 3 way handshake mechanism because there is 'data' attached to the SYN.

I can see on the Internet that some other firewall vendors have some information/guidelines/suggestions on how 'they' deal with with this feature/setting; are there any plans to create similar documentation for Check Point?

Thanks

Paul Norman

RFC 7413 TCP fast open

whitey — Fri, 20 Dec 2019 10:05:21 GMT

Any support for RFC 7413 TCP fast open on Checkpoint Firewalls?

Re: TCP Fast Open

pnorman821 — Fri, 20 Dec 2019 13:04:25 GMT

sorry I have just realised I have posted this to the wrong board - could it please be moved to the correct place?

Re: TCP Fast Open

PhoneBoy — Fri, 20 Dec 2019 19:19:06 GMT

Not sure how the gateway would differentiate a legit TCP Fast Open from an illegitimate one, given the cryptographic nature of it.
I suspect (but don’t know for sure) that the initial SYN would be allowed but until the three way handshake completed, the data packets would be dropped due to “Out of State.”

Edit: it appears, per some TAC cases, that we will drop SYN packets that include data, which means TCP Fast Open won’t be supported.

Re: RFC 7413 TCP fast open

PhoneBoy — Fri, 20 Dec 2019 20:46:29 GMT

Note I merged your question with another similar thread.
Short answer: it appears it is not supported since SYN packets with data (needed for TCP Fast Open) would be dropped.