[740] in bugtraq
Re: IP spoofing vs tcp wrappers and netacl
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jan 24 16:32:37 1995
To: Christopher Klaus <cklaus@shadow.net>
Cc: bugtraq@fc.net, firewalls@GreatCircle.COM
In-Reply-To: Your message of "Tue, 24 Jan 1995 13:33:48 EST."
<199501241833.NAA19046@shadow.net>
Reply-To: perry@imsi.com
Date: Tue, 24 Jan 1995 13:46:12 -0500
From: "Perry E. Metzger" <perry@imsi.com>
Christopher Klaus says:
> > Christopher Klaus says:
> > > Probably the best way to prevent IP spoofing attacks is to turn off all
> > > ip-based authenication services, ie rsh, rlogin are the main ones.
> >
> > Insufficient. If you can see at least part of the packet stream, you
> > can session-steal. This makes a mockery of things like S/Key.
>
> If you have an attacker that is listening to your packet stream, you
> have more serious problem than just IP spoofing attacks.
Well, I'm afraid that judicious use of the protocols can under some
circumstances be enough knock just a couple of packets your way if you
are pretty sure a link exists, and thats all you need to steal the
connection. Given the way that the internet works, this is a problem
for anyone traversing a firewall with a system like SNK, S/Key, Secure
ID, or whatever, because their session could be hijacked after the fact.
> The only long-term solution that would adequately fix many of these
> problems is cryptography being implemented in authenication and encrypting
> all network traffic.
That is indeed the case. As I've noted, see draft-metzger-* in the
nearest internet drafts directory for details on how to do that. I
should be releasing an implementation for 4.4BSD kernels under a
Berkeley style copyright.
Perry
