From owner-freebsd-security  Fri Oct  6 14:16:16 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 153C437B502
	for <security@FreeBSD.ORG>; Fri,  6 Oct 2000 14:16:14 -0700 (PDT)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e96LG8a06070;
	Fri, 6 Oct 2000 14:16:08 -0700 (PDT)
Date: Fri, 6 Oct 2000 14:16:08 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Roman Shterenzon <roman@xpert.com>
Cc: security@FreeBSD.ORG
Subject: Re: HERT advisory: FreeBSD IP Spoofing (fwd)
Message-ID: <20001006141608.H266@fw.wintelcom.net>
References: <20001006135157.G266@fw.wintelcom.net> <Pine.LNX.4.10.10010062304060.464-100000@jamus.xpert.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <Pine.LNX.4.10.10010062304060.464-100000@jamus.xpert.com>; from roman@xpert.com on Fri, Oct 06, 2000 at 11:09:30PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Roman Shterenzon <roman@xpert.com> [001006 14:09] wrote:
> On Fri, 6 Oct 2000, Alfred Perlstein wrote:
> 
> > * Roman Shterenzon <roman@xpert.com> [001006 13:50] wrote:
> > > It's great to see 2.2.8 patched !
> > > Any idea about the solaris implementation of rfc1948 ?
> > > Can this be done in FreeBSD?
> > 
> > I don't have time to look that up, what is it? SACK?
> > 
> > If it is afaik someone is already working on it.
> RFC1948 - Defending Against Sequence Number Attacks
> 
> Solaris has "sysctl" alike interface (ndd) for those; 
> 
> # TCP_STRONG_ISS sets the TCP initial sequence number generation parameters.
> # Set TCP_STRONG_ISS to be:
> #     0 = Old-fashioned sequential initial sequence number generation.
> #     1 = Improved sequential generation, with random variance in increment.
> #     2 = RFC 1948 sequence number generation, unique-per-connection-ID.

I'm sure it's possible to do this with FreeBSD, from what it looks like
we implement option 1, with patches i'm sure we could do '2' as well.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message