nanog mailing list archives
Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Thu, 13 May 2004 19:47:15 +0200
On 13-mei-04, at 19:07, Todd Vierling wrote:
Whereas the Internet-Draft claims, by assuming that both source and dest ports are knowns, the number of bits required for the attack is 16 (or evenlower) and thus can cause connection resets "even at DSL speed."
Guess what, they call them drafts because they're not finished yet. So why don't you say something to the author?
A 2^[28..33] problem is much more difficult to attack than a 2^[14..16]problem. It's amazing that such a cheap source of entropy -- randomizingthe source port appropriately -- is being so readily discounted.
(In case you're curious, 2^33 is achievable for things like BGP, where it's not certain which end initiated the connection. You get one extra bit for the originator choice, on top of a fully randomized 16-bit port and a 16-bitwindow size: 2^33.)
I don't think you can fully randomize the source port as it might clash with well-known ports. Also, it may be somewhat expensive to make ports truly random. (But not as expensive as doing MD5 for the whole session.)
But why are you assuming the window size is 64k? This is completely unnecessary, and not done in practice by "real" routers: those typically use a 16k window. It should even be possible to set the window to a very small size, such as 64 bytes. That's enough to receive the initial BGP header, after which the window can be set to a larger size until the session is idle again.
Current thread:
- Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure David Krause (May 11)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Tony Li (May 11)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Todd Vierling (May 12)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Peter Galbavy (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Valdis . Kletnieks (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Todd Vierling (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Iljitsch van Beijnum (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Todd Vierling (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Henning Brauer (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Steven M. Bellovin (May 13)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Patrick W . Gilmore (May 13)
- RE: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Terry Baranski (May 19)
- Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure Iljitsch van Beijnum (May 13)