Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure

  • From: Todd Vierling
  • Date: Wed May 12 21:55:42 2004

On Tue, 11 May 2004, David Krause wrote:

: http://www.ietf.org/ietf/IPR/cisco-ipr-draft-ietf-tcpm-tcpsecure.txt

The same document that fully ignores that port number randomness will
severely limit the risk of susceptibility to such an attack?  S**t, the only
mention of port numbers at all is in the following text snippet:

=====
   this means that most connections (assuming the attacker can
   accurately guess both ports) can be reset in under 200 seconds
   (usually far less).
=====

(Burp.  Pardon me for the half-censored expletive.)

And exactly why are we supposed to assume that anyone can guess /both/ ports
on any connection where the attacker is external?  Oh, that's right, because
we're all paranoid and gun-shy.  (This /is/ NANOG, after all.  8-)

Sure, randomization doesn't help if someone netstat(8)s for connections
while logged into a host, but reasonable admins shouldn't be letting
unprivileged users see network info for critical services, or other users'
connections for that matter.  Read that as:  "Don't make netstat setuid."

Gimme a break.  This text is a half-baked concoction at best if the next
draft still doesn't mention port randomization as a cheap and effective
mitigator for external attack attempts.  You can get at least 14 bits of
entropy for one lousy arc4random() call.  Enter as often as you like.  No
purchase required.

With this and the patent funny business, I don't know if I can roll my eyes
any further into the back of my head.

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com>




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.