(OT) rfc1948 question

Nickolay A. Kritsky nkritsky at internethelp.ru
Mon Apr 14 01:58:56 PDT 2003 

  Hi, folks @ freebsd-security.

First, I am not sure if this is apropriate topic for that list, so
sorry, if it is not.

Some time ago I have read rfc1948 (protection from blind TCP spoofing)
and became interested in the way how it is implemented in FreeBSD.
After some googling (BTW if you like Google you might be interested in
this: http://register.spectator.ru/img/bart.gif ), I found this:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c
where in "Revision 1.73.2.22" one can read:
;------------------Begin clipboard----------------------------
Much delayed but now present:  RFC 1948 style sequence numbers

In order to ensure security and functionality, RFC 1948 style
initial sequence number generation has been implemented.  Barring
any major crypographic breakthroughs, this algorithm should be
unbreakable.
;--------------------End clipboard----------------------------

In the diff to previous revision:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c.diff?r1=1.73.2.21&r2=1.73.2.22
is said:
;------------------Begin clipboard----------------------------
+ * The ISNs in SYN-ACK packets have no monotonicity requirement,
+ * and should be as unpredictable as possible to avoid the possibility
+ * of spoofing and/or connection hijacking.  To satisfy this
+ * requirement, SYN-ACK ISNs are generated via the arc4random()
+ * function.  If exact RFC 1948 compliance is requested via sysctl,
+ * these ISNs will be generated just like those in SYN packets.
;--------------------End clipboard----------------------------
But then I took a quick glance on my fresh 4.6 box, and found that
SYN-ACK generation was moved to tcp_syncache.c
I did not managed to find any rfc1948 related info in CVS log for this
file. Maybe I just missed it.
Then I just looked into my copy of tcp_syncache.c and found that:
;------------------Begin clipboard----------------------------
        if (tcp_syncookies)
                sc->sc_iss = syncookie_generate(sc);
        else
                sc->sc_iss = arc4random();
;--------------------End clipboard----------------------------
Is it the place where synack iss is generated? If yes, then why
net.inet.tcp.syncookies sysctl is turned on by default? Is arc4random
not enough random? Was there another reason to `request exact RFC 1948
compliance' by default? I am not just curious about that issue
(although I _am_ curious :) ), but I am currnetly trying to understand
the risks of trusted_hosts kind of security from rfc1948 point of view.
I am not some cryptoanalyst, well to be honest I am totally new in
cryptography, but from what I have read arc4 (or RC4 - they supposed
to be identical) looks quite good as SPRNG given ARC4_MAXRUNS and
ARC4_RESEED_SECONDS values are 16384 and 300s. Can anybody shed some
light on this topic or point me to the URL to read.

Any help is very good.
;-------------------------------------------
; NKritsky
; mailto:nkritsky at internethelp.ru

More information about the freebsd-security mailing list