Re: [Idr] proposed additional text

[Jeffrey Haas <jhaas at nexthop.com>]

On Mon, May 17, 2004 at 12:52:05PM -0400, Curtis Villamizar wrote:
> A replay attack involves sending information later on when it is no
> longer valid.  Since the TCP sequence number is covered by the TCP
> checksum, and therefore MD5 digest that replaces it, a replay attack
> is not possible.  It also covers address and port so you can't read
> from one connection and replay on another.

Presume you are in circumstances in which a replay attack is possible.
Presume also that you can sniff the wire.
Given the above, the circumstances under which an attack are valid are:
1. The key is still the same (or much less likely, a different key
   results in the same MAC)
2. The source, dst, src port, dst port tuples are the same.
3. The segment which you are looking to replay is within the window.

Given all of the above, it is possible to replay the packet.
If the packet is a SYN or RST, then you can obviously disrupt the session.
You can gather these by simply sniffing the wire and simply replaying
any that are within the acceptable TCP session and window.

If the packet is a data packet, the behavior will depend on the
TCP implementation.  This may desynchronize the session at the
least.

Note that I am not a TCP expert nor do I play one on TV.  However,
I've heard some interesting stories about how different implementations
fail to follow the spec and odd behaviors thus caused.


-- 
Jeff Haas 
NextHop Technologies

_______________________________________________
Idr mailing list
Idr@ietf.org
https://www1.ietf.org/mailman/listinfo/idr