[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tcp vulnerability
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: tcp vulnerability
- From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
- Date: Wed, 21 Apr 2004 09:27:57 -0700
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
* Darren Reed <avalon_(_at_)_caligula_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> [2004-04-21 03:04]:
> In some mail from Henning Brauer, sie said:
> > * Darren Reed <avalon_(_at_)_caligula_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> [2004-04-21 01:18]:
> > > In some mail from Henning Brauer, sie said:
> > > > I'd like to point out that OpenBSD running bgpd(8) as shipping with
> > > > 3.5 is not affected...
> > > What you mean to say, surely, is that OpenBSD and bgpd(8) supports
> > > TCP-MD5, so where it talks to another end that has been configured
> > > for TCP-MD5 in a matching configuration (i.e another bgpd(8) running
> > > on OpenBSD 3.5), there vulnerability is negligible.
> > no, you are talking crap.
> Really ?
> > for first, tcp md5 works perfectly against any other rfc compliant
> > imlementation.
> Well I'd hope so.
> But, TCP MD-5 must be *configured* on *both* ends for it to work.
> Just using bgpd "because" does not enable it.
but the only one who's talking about tcpmd5 is you.
> > second, even without tcp md5, bgpd on OpenBSD is not affected, because:
> > -we use random emphereal ports
> (which is only a 16k range to guess)
(what is an entirely different story then guessing with linear
> > -we do not use insanely hughe window sizes as cisco does
> > -we require the RST sequence number to be right on the edge of the window
> All of which is to say that the risk when using OpenBSD, without MD5,
> is less, not absent (which is effectively what you're claiming.)
the risk with OpenBSD is basically as low as possible, which makes your
statement about tcomd5 nearly fit for that too:
> Even with TCP-MD5 the risk is not absent, just so improbable that
> it is an insignificant concern compared to others.
so. again, you posted FUD without knowing what you were talking about -
I did not mention or even think of tcpmd5, because the issue for cisco
is fuckups in their tcp stack that we simply do not have, and
countermeasures that we have taken years ago already.
Our tcp md5, opposed to your FUD spreading, *of course* works with
everything that is rfc compliant. And of course every bgp session that
is not run over ipsec or has similar measures in affect should have tcp
md5 enabled, because it is cheap and helps a lot.
but spreading FUD is so much fun, right. *sigh*.
And this all from a guy who bans people from his mailing list for
posting a purely technical report about the ipf -> pf switch on his
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.
Visit your host, monkey.org