North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP/BGP vulnerability - easier than you think
Questions arose while trying to explain proposed TCP fixes to my students. Can y'all help me with these? We were going over the "Transmission Control Protocol security considerations draft-ietf-tcpm-tcpsecure-00.txt" document here when the questions arose: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt The questions have to do with this from the document: the following changes should be made to provide some protection against such an attack. A) If the RST bit is set and the sequence number is outside the expected window, silently drop the segment. B) If the RST bit is exactly the next expected sequence number, reset the connection. C) If the RST bit is set and the sequence number does not exactly match the next expected sequence value, yet is within the acceptable window (RCV.NXT < SEG.SEQ <= RCV.NXT+RCV.WND) send an acknowledgment. This solution forms a challenge/response with any RST where the value does not exactly match the expected value and yet the RST is within the window. In cases of a legitimate reset without the exact sequence number, the consequences of this new challenge/response will be that the peer requires an extra round trip time before the connection can be reset. So, per item C, does the recipient of a RST with a sequence number that does not exactly match the next expected sequence value not reset the connection? It sends an ACK but keeps the connection open? The ACK will go to the correct TCP partner, not the attacker presumably. So then that partner resets. But where does this leave the other partner (the recipient of the RST)? Is the assumption that this side may continue sending, which would cause the other side to RST (since it closed the session) and this RST would have the correct sequence number so the connection would get reset from both partners' points of view? Regardless of hackers, we're trying to figure out how to legitimately RST despite possibly not having the exact right sequence value. Thanks, Priscilla Oppenheimer At 09:48 PM 4/23/04, Todd Vierling wrote: On Fri, 23 Apr 2004, Leo Bicknell wrote: _______________________________ Priscilla Oppenheimer www.priscilla.com When your Daemon is in charge, do not try to think consciously. Drift, wait, and obey. -- Kipling.
|