Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure

  • From: Iljitsch van Beijnum
  • Date: Thu May 13 13:50:19 2004

On 13-mei-04, at 19:07, Todd Vierling wrote:

Whereas the Internet-Draft claims, by assuming that both source and dest
ports are knowns, the number of bits required for the attack is 16 (or even
lower) and thus can cause connection resets "even at DSL speed."
Guess what, they call them drafts because they're not finished yet. So why don't you say something to the author?

A 2^[28..33] problem is much more difficult to attack than a 2^[14..16]
problem. It's amazing that such a cheap source of entropy -- randomizing
the source port appropriately -- is being so readily discounted.

(In case you're curious, 2^33 is achievable for things like BGP, where it's
not certain which end initiated the connection. You get one extra bit for
the originator choice, on top of a fully randomized 16-bit port and a 16-bit
window size: 2^33.)
I don't think you can fully randomize the source port as it might clash with well-known ports. Also, it may be somewhat expensive to make ports truly random. (But not as expensive as doing MD5 for the whole session.)

But why are you assuming the window size is 64k? This is completely unnecessary, and not done in practice by "real" routers: those typically use a 16k window. It should even be possible to set the window to a very small size, such as 64 bytes. That's enough to receive the initial BGP header, after which the window can be set to a larger size until the session is idle again.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.