Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
From: Don Lewis (truckman_at_FreeBSD.org)
Date: 04/21/04
- Previous message: Don Lewis: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- In reply to: Don Lewis: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Next in thread: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Reply: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Reply: Randall Stewart (cisco): "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Apr 2004 20:46:44 -0700 (PDT) To: avalon@caligula.anu.edu.au
On 20 Apr, Don Lewis wrote:
> On 21 Apr, Darren Reed wrote:
>>> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
>
> I saw this draft earlier today.
>
> RFC793 [1] currently requires handling of a segment with the RST bit
> when in a synchronized state to be processed as follows:
> 1) If the RST bit is set and the sequence number is outside the
> expected window, silently drop the segment.
> 2) If the RST bit is set and the sequence number is acceptable i.e.:
> (RCV.NXT <= SEG.SEQ <= RCV.NXT+RCV.WND) then reset the connection.
>
>
> Instead, the following changes should be made to provide some
> protection against such an attack.
> A) If the RST bit is set and the sequence number is outside the
> expected window, silently drop the segment.
> B) If the RST bit is exactly the next expected sequence number, reset
> the connection.
> C) If the RST bit is set and the sequence number does not exactly
> match the next expected sequence value, yet is within the
> acceptable window (RCV.NXT < SEG.SEQ <= RCV.NXT+RCV.WND) send an
> acknowledgment.
>
>
> Our original implementation of the RST sequence number checking was much
> more permissive than RFC 793. I submitted a patch, which was included
> in tcp_input.c version 1.81 that implemented steps A and B above. It
> was discovered that this is incompatible with certain peers, so the code
> was changed to match RFC 793 in tcp_input.c 1.98.
>
> I don't know if adding step C will fix the problem. There may further
> info in the list archives.
>From what I see here:
<http://docs.freebsd.org/cgi/getmsg.cgi?fetch=71731+0+archive/1999/freebsd-net/19991128.freebsd-net>
I am concerned that step C will not solve the compatibility problem. The
FreeBSD host is sending a FIN to close an established connection, and
the peer host adding the window size advertised in the FIN packet to the
sequence number acknowledged in the FIN packet, and using the sum as the
sequence number for the RST packet, which puts the sequence number at
the end of the receive window.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Don Lewis: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- In reply to: Don Lewis: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Next in thread: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Reply: Mike Silbersack: "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Reply: Randall Stewart (cisco): "Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
