[70397] in North American Network Operators' Group
Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
daemon@ATHENA.MIT.EDU (Todd Vierling)
Thu May 13 13:11:28 2004
Date: Thu, 13 May 2004 13:07:36 -0400 (EDT)
From: Todd Vierling <tv@duh.org>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
In-Reply-To: <200405131550.i4DFodYx018135@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 13 May 2004 Valdis.Kletnieks@vt.edu wrote:
: Well.. you have to remember that we live in an environment where people
: are *just* noticing that RFC793 says "The RST has to be in the window,
: not dead on".
Right, and 32 - <window bits> + <random port bits> in a /reasonable/
implementation totals at least 28 [bits that must be guessed by the
attacker].
Whereas the Internet-Draft claims, by assuming that both source and dest
ports are knowns, the number of bits required for the attack is 16 (or even
lower) and thus can cause connection resets "even at DSL speed."
A 2^[28..33] problem is much more difficult to attack than a 2^[14..16]
problem. It's amazing that such a cheap source of entropy -- randomizing
the source port appropriately -- is being so readily discounted.
(In case you're curious, 2^33 is achievable for things like BGP, where it's
not certain which end initiated the connection. You get one extra bit for
the originator choice, on top of a fully randomized 16-bit port and a 16-bit
window size: 2^33.)
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com>
