Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Apr 2004 06:07:04 -0500
From:      "Jacques A. Vidrine" <nectar@FreeBSD.org>
To:        Mike Silbersack <silby@silby.com>
Cc:        avalon@caligula.anu.edu.au
Subject:   Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
Message-ID:  <20040421110704.GA19640@lum.celabo.org>
In-Reply-To: <20040421014736.H1228@odysseus.silby.com>
References:  <200404210346.i3L3ki7E045504@gw.catspoiler.org> <20040421014736.H1228@odysseus.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 21, 2004 at 01:50:28AM -0500, Mike Silbersack wrote:
> 
> On Tue, 20 Apr 2004, Don Lewis wrote:
> 
> > I am concerned that step C will not solve the compatibility problem. The
> > FreeBSD host is sending a FIN to close an established connection, and
> > the peer host adding the window size advertised in the FIN packet to the
> > sequence number acknowledged in the FIN packet, and using the sum as the
> > sequence number for the RST packet, which puts the sequence number at
> > the end of the receive window.
> 
> Would it be feasible for us to create a four to five element array to
> track "resettable" sequence numbers?  This could hold the sequence numbers
> of the last few packets transmitted, and account for that edge case as
> well.  I'm very uneasy with the IETF step C - sending more packets out
> into the network sounds like a new type of amplification attack.

I'm also somewhat skeptical.  Considering the attack that this is
supposed to mitigate, it would probably be a good idea to implement this
as a compile time option defaulting OFF at first.  Those really worried
about an attack (running BGP?) can utilize it, as well as those testing
interoperability for awhile.

Cheers,
-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040421110704.GA19640>