> On Dec 29, 2018, at 6:42 PM, Florin Coras <fcoras.li...@gmail.com> wrote: > > Hi Jim, > > That has to do with the initial sequence number generation.
Understood. Thus the title of "Defending against Sequence Number Attacks" > We don’t exactly implement that algorithm but we do generate the initial > sequence number randomly based on time. Understood. Currently we do: tc->iss = random_u32 (&time_now); in tcp_init_snd_vars(), but I’m not sure that’s not a RFC violation. Quoting: "If random numbers are used as the sole source of the secret, they MUST be chosen in accordance with the recommendations given in RFC4086.” If it isn’t, fine. If it is, then the question becomes: "Would adding a 4 usec timer be harmful to the host stack?" From inspection it looks like all the other data to call the RFC-recommended tc->iss = M + F (localip, localport, remoteip, remoteport, secretkey) is present. (Where M is the current value of that 4 usec timer, F is MD5, and secretkey is some value we pick up or generate during VPP startup.) Jim > > Florin > >> On Dec 29, 2018, at 12:42 PM, Jim Thompson <j...@netgate.com> wrote: >> >> >> Florian, >> >> Maybe he wants RFC 6528. >> >> Jim >> >>> On Dec 29, 2018, at 10:59 AM, Florin Coras <fcoras.li...@gmail.com> wrote: >>> >>> Hi Brayan, >>> >>> I’m not entirely sure I understand your question. Obviously, we have >>> sequence validation in tcp as per rfc 793. For details, see >>> tcp_segment_validate in tcp_input.c. As part of that function, we also >>> check for paws as per rfc 1323/7323. >>> >>> Hope this helps, >>> Florin >>> >>>> On Dec 29, 2018, at 5:29 AM, brayan ortega <brayan.ortega6...@gmail.com> >>>> wrote: >>>> >>>> Dear VPP Folks, >>>> >>>> I would like to know about sequence number checking functionality. Is this >>>> functionality implemented already? >>>> 1- If yes: Guide me about that >>>> 2- If no : Is there any plan for sequence number checking implementation? >>>> it seems it is essential to prevent sequence number prediction attacks. >>>> >>>> Best Regards, >>>> -=-=-=-=-=-=-=-=-=-=-=- >>>> Links: You receive all messages sent to this group. >>>> >>>> View/Reply Online (#11795): https://lists.fd.io/g/vpp-dev/message/11795 >>>> Mute This Topic: https://lists.fd.io/mt/28880091/675152 >>>> Group Owner: vpp-dev+ow...@lists.fd.io >>>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [fcoras.li...@gmail.com] >>>> -=-=-=-=-=-=-=-=-=-=-=- >>> >>> -=-=-=-=-=-=-=-=-=-=-=- >>> Links: You receive all messages sent to this group. >>> >>> View/Reply Online (#11796): https://lists.fd.io/g/vpp-dev/message/11796 >>> Mute This Topic: https://lists.fd.io/mt/28880091/675164 >>> Group Owner: vpp-dev+ow...@lists.fd.io >>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [j...@netgate.com] >>> -=-=-=-=-=-=-=-=-=-=-=- >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11799): https://lists.fd.io/g/vpp-dev/message/11799 Mute This Topic: https://lists.fd.io/mt/28880091/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
