[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tcp vulnerability

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: tcp vulnerability
From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
Date: Wed, 21 Apr 2004 09:27:57 -0700
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

* Darren Reed <avalon_(_at_)_caligula_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> [2004-04-21 03:04]:
> In some mail from Henning Brauer, sie said:
> > * Darren Reed <avalon_(_at_)_caligula_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> [2004-04-21 01:18]:
> > > In some mail from Henning Brauer, sie said:
> > > > I'd like to point out that OpenBSD running bgpd(8) as shipping with 
> > > > 3.5 is not affected...
> > > What you mean to say, surely, is that OpenBSD and bgpd(8) supports
> > > TCP-MD5, so where it talks to another end that has been configured
> > > for TCP-MD5 in a matching configuration (i.e another bgpd(8) running
> > > on OpenBSD 3.5), there vulnerability is negligible.
> > no, you are talking crap.
> Really ?

assure you.

> > for first, tcp md5 works perfectly against any other rfc compliant 
> > imlementation.
> Well I'd hope so.
> But, TCP MD-5 must be *configured* on *both* ends for it to work.
> Just using bgpd "because" does not enable it.

*of* *course*

but the only one who's talking about tcpmd5 is you.

> > second, even without tcp md5, bgpd on OpenBSD is not affected, because:
> > -we use random emphereal ports
> (which is only a 16k range to guess)

(what is an entirely different story then guessing with linear 
allocation)

> > -we do not use insanely hughe window sizes as cisco does
> > -we require the RST sequence number to be right on the edge of the window
> All of which is to say that the risk when using OpenBSD, without MD5,
> is less, not absent (which is effectively what you're claiming.)

the risk with OpenBSD is basically as low as possible, which makes your 
statement about tcomd5 nearly fit for that too:

> Even with TCP-MD5 the risk is not absent, just so improbable that
> it is an insignificant concern compared to others.

so. again, you posted FUD without knowing what you were talking about - 
I did not mention or even think of tcpmd5, because the issue for cisco 
is fuckups in their tcp stack that we simply do not have, and 
countermeasures that we have taken years ago already.

Our tcp md5, opposed to your FUD spreading, *of course* works with 
everything that is rfc compliant. And of course every bgp session that 
is not run over ipsec or has similar measures in affect should have tcp 
md5 enabled, because it is cheap and helps a lot.

but spreading FUD is so much fun, right. *sigh*.

And this all from a guy who bans people from his mailing list for 
posting a purely technical report about the ipf -> pf switch on his 
network ...

-- 
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Follow-Ups:
- Re: tcp vulnerability
  - From: Darren Reed

References:
- Re: tcp vulnerability
  - From: Henning Brauer
- Re: tcp vulnerability
  - From: Darren Reed

Prev by Date: Re: spammers monitor this list
Next by Date: Re: don't use today's snapshot
Previous by thread: Re: tcp vulnerability
Next by thread: Re: tcp vulnerability
Index(es):
- Date
- Thread

Visit your host, monkey.org