[Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fwd)
Poul-Henning Kamp
phk at phk.freebsd.dk
Tue Apr 20 23:50:19 PDT 2004
In message <20040421014736.H1228 at odysseus.silby.com>, Mike Silbersack writes:
>
>On Tue, 20 Apr 2004, Don Lewis wrote:
>
>> I am concerned that step C will not solve the compatibility problem. The
>> FreeBSD host is sending a FIN to close an established connection, and
>> the peer host adding the window size advertised in the FIN packet to the
>> sequence number acknowledged in the FIN packet, and using the sum as the
>> sequence number for the RST packet, which puts the sequence number at
>> the end of the receive window.
>
>Would it be feasible for us to create a four to five element array to
>track "resettable" sequence numbers? This could hold the sequence numbers
>of the last few packets transmitted, and account for that edge case as
>well.
Sounds like an interesting idea.
Technically you will have to hold the sequence numbers for all
non-ACK'ed packets, which may be up to the window divided by the
MTU. In the conventional case, worst case is 237 sequence numbers
(65535/276). This sounds like a lot until one realizes that at
the same time we hold 64k of un-ACK'ed data.
A prototype would be a good thing...
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the freebsd-security
mailing list