Re: IP spoofing vs tcp wrappers and netacl

[perry () imsi com (Perry E. Metzger)]

Christopher Klaus says:
> > Christopher Klaus says:
> > > Probably the best way to prevent IP spoofing attacks is to turn off all
> > > ip-based authenication services, ie rsh, rlogin are the main ones.
> >
> > Insufficient. If you can see at least part of the packet stream, you
> > can session-steal. This makes a mockery of things like S/Key.
>
> If you have an attacker that is listening to your packet stream, you
> have more serious problem than just IP spoofing attacks.

Well, I'm afraid that judicious use of the protocols can under some
circumstances be enough knock just a couple of packets your way if you
are pretty sure a link exists, and thats all you need to steal the
connection. Given the way that the internet works, this is a problem
for anyone traversing a firewall with a system like SNK, S/Key, Secure
ID, or whatever, because their session could be hijacked after the fact.

> The only long-term solution that would adequately fix many of these
> problems is cryptography being implemented in authenication and encrypting
> all network traffic.

That is indeed the case. As I've noted, see draft-metzger-* in the
nearest internet drafts directory for details on how to do that. I
should be releasing an implementation for 4.4BSD kernels under a
Berkeley style copyright.

Perry