Date: Fri, 6 Oct 2000 14:16:08 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: Roman Shterenzon <roman@xpert.com> Cc: security@FreeBSD.ORG Subject: Re: HERT advisory: FreeBSD IP Spoofing (fwd) Message-ID: <20001006141608.H266@fw.wintelcom.net> In-Reply-To: <Pine.LNX.4.10.10010062304060.464-100000@jamus.xpert.com>; from roman@xpert.com on Fri, Oct 06, 2000 at 11:09:30PM %2B0200 References: <20001006135157.G266@fw.wintelcom.net> <Pine.LNX.4.10.10010062304060.464-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Roman Shterenzon <roman@xpert.com> [001006 14:09] wrote: > On Fri, 6 Oct 2000, Alfred Perlstein wrote: > > > * Roman Shterenzon <roman@xpert.com> [001006 13:50] wrote: > > > It's great to see 2.2.8 patched ! > > > Any idea about the solaris implementation of rfc1948 ? > > > Can this be done in FreeBSD? > > > > I don't have time to look that up, what is it? SACK? > > > > If it is afaik someone is already working on it. > RFC1948 - Defending Against Sequence Number Attacks > > Solaris has "sysctl" alike interface (ndd) for those; > > # TCP_STRONG_ISS sets the TCP initial sequence number generation parameters. > # Set TCP_STRONG_ISS to be: > # 0 = Old-fashioned sequential initial sequence number generation. > # 1 = Improved sequential generation, with random variance in increment. > # 2 = RFC 1948 sequence number generation, unique-per-connection-ID. I'm sure it's possible to do this with FreeBSD, from what it looks like we implement option 1, with patches i'm sure we could do '2' as well. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001006141608.H266>