Hi Florin, Nice!
Jim > On Jan 2, 2019, at 6:10 PM, Florin Coras <fcoras.li...@gmail.com> wrote: > > Hi Jim, > > Here’s the patch [1]. > > Regards, > Florin > > [1] https://gerrit.fd.io/r/#/c/16675/ > >>> On Dec 29, 2018, at 10:59 PM, Florin Coras via Lists.Fd.Io >>> <fcoras.lists=gmail....@lists.fd.io> wrote: >>> >>> >>> >>> On Dec 29, 2018, at 8:26 PM, Jim Thompson <j...@netgate.com> wrote: >>> >>> >>> >>>> On Dec 29, 2018, at 6:42 PM, Florin Coras <fcoras.li...@gmail.com> wrote: >>>> >>>> Hi Jim, >>>> >>>> That has to do with the initial sequence number generation. >>> >>> Understood. Thus the title of "Defending against Sequence Number Attacks" >>> >>>> We don’t exactly implement that algorithm but we do generate the initial >>>> sequence number randomly based on time. >>> >>> Understood. Currently we do: >>> >>> tc->iss = random_u32 (&time_now); >> >> Yup. >> >>> >>> in tcp_init_snd_vars(), but I’m not sure that’s not a RFC violation. >>> Quoting: >>> >>> "If random numbers are used as the sole source of the secret, they MUST be >>> chosen in accordance with the recommendations given in RFC4086.” >>> >>> If it isn’t, fine. If it is, then the question becomes: "Would adding a >>> 4 usec timer be harmful to the host stack?" >>> >>> From inspection it looks like all the other data to call the RFC-recommended >>> >>> tc->iss = M + F (localip, localport, remoteip, remoteport, secretkey) >>> >>> is present. (Where M is the current value of that 4 usec timer, F is MD5, >>> and secretkey is some value we pick up or generate during VPP startup.) >> >> We could just use vlib time for that. I’ll add it to my list, in case nobody >> beats me to it. >> >> Florin >> >>> >>> Jim >>> >>>> >>>> Florin >>>> >>>>> On Dec 29, 2018, at 12:42 PM, Jim Thompson <j...@netgate.com> wrote: >>>>> >>>>> >>>>> Florian, >>>>> >>>>> Maybe he wants RFC 6528. >>>>> >>>>> Jim >>>>> >>>>>> On Dec 29, 2018, at 10:59 AM, Florin Coras <fcoras.li...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Hi Brayan, >>>>>> >>>>>> I’m not entirely sure I understand your question. Obviously, we have >>>>>> sequence validation in tcp as per rfc 793. For details, see >>>>>> tcp_segment_validate in tcp_input.c. As part of that function, we also >>>>>> check for paws as per rfc 1323/7323. >>>>>> >>>>>> Hope this helps, >>>>>> Florin >>>>>> >>>>>>> On Dec 29, 2018, at 5:29 AM, brayan ortega >>>>>>> <brayan.ortega6...@gmail.com> wrote: >>>>>>> >>>>>>> Dear VPP Folks, >>>>>>> >>>>>>> I would like to know about sequence number checking functionality. Is >>>>>>> this functionality implemented already? >>>>>>> 1- If yes: Guide me about that >>>>>>> 2- If no : Is there any plan for sequence number checking >>>>>>> implementation? it seems it is essential to prevent sequence number >>>>>>> prediction attacks. >>>>>>> >>>>>>> Best Regards, >>>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>>>> Links: You receive all messages sent to this group. >>>>>>> >>>>>>> View/Reply Online (#11795): https://lists.fd.io/g/vpp-dev/message/11795 >>>>>>> Mute This Topic: https://lists.fd.io/mt/28880091/675152 >>>>>>> Group Owner: vpp-dev+ow...@lists.fd.io >>>>>>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub >>>>>>> [fcoras.li...@gmail.com] >>>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>>> >>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>>> Links: You receive all messages sent to this group. >>>>>> >>>>>> View/Reply Online (#11796): https://lists.fd.io/g/vpp-dev/message/11796 >>>>>> Mute This Topic: https://lists.fd.io/mt/28880091/675164 >>>>>> Group Owner: vpp-dev+ow...@lists.fd.io >>>>>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [j...@netgate.com] >>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>> >>> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> >> View/Reply Online (#11800): https://lists.fd.io/g/vpp-dev/message/11800 >> Mute This Topic: https://lists.fd.io/mt/28880091/675152 >> Group Owner: vpp-dev+ow...@lists.fd.io >> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [fcoras.li...@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11821): https://lists.fd.io/g/vpp-dev/message/11821 Mute This Topic: https://lists.fd.io/mt/28880091/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
