[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Idr] proposed additional text

To: "Naidu, Venkata" <Venkata.Naidu at Marconi.com>
Subject: Re: [Idr] proposed additional text
From: Curtis Villamizar <curtis at fictitious.org>
Date: Mon, 17 May 2004 15:02:41 -0400
Cc: "'curtis at fictitious.org'" <curtis at fictitious.org>, idr at ietf.org
In-reply-to: Your message of "Mon, 17 May 2004 13:59:50 EDT." <39469E08BD83D411A3D900204840EC55FB7291@vie-msgusr-01.dc.fore.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/idr/>
List-help: <mailto:idr-request@ietf.org?subject=help>
List-id: Inter-Domain Routing <idr.ietf.org>
List-post: <mailto:idr@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/idr>,<mailto:idr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/idr>,<mailto:idr-request@ietf.org?subject=unsubscribe>
Reply-to: curtis at fictitious.org
Sender: idr-admin at ietf.org

In message <39469E08BD83D411A3D900204840EC55FB7291@vie-msgusr-01.dc.fore.com>, 
"Naidu, Venkata" writes:
> Curtis,
> 
> -> A replay attack involves sending information later on when it is no
> -> longer valid.  Since the TCP sequence number is covered by the TCP
> -> checksum, and therefore MD5 digest that replaces it, a replay attack
> -> is not possible.  
> 
>   IMHO, TCP sequence number is not designed to protect replay attacks,
>   rather the intention is to detect network errors/congestion and to 
>   provide a form of simple ordered byte stream reliability.
> 
>   For example, I computed that, the sequence number would wrap around:
>   in (2^32 bytes * 8 bits/byte) / (10 * 10^6 bit/sec) = 3435.6 sec ~ 
>   1 hour using 32 bit sequence number when streaming 10 Mbps, 
>   in 343.56 sec using 32 bit sequence number when streaming 100Mbps, 
>   in 0.00046 sec using 32 bit sequence numbers when streaming 75Tbps.
>   
>   I am not sure how TCP checksum and MD5 digest is going to protect
>   if the attacker is not going to change a single bit the segment.
> 
>   So, all the replay attacker has to do is to wait for the next 
>   window to sneak in the old segment after sequence number wrapping.
>   This is the main reason why IPSec argued to increase the sequence
>   number from 32 bit to 64 bits.
> 
> Venkata.

BGP does not stream continuously at 10 mb/s.  More like 10s of kb/s on
averge, usually less.  That would be an the order of 700,000 seconds
at about 50 kb/s.

So at best after about 8 days a denial of service would be possible.
Keep in mind that the old sequence of bytes has to fit exactly into a
packet in the new sequence of bytes - same start byte for the packet
and same length.  Otherwise the BGP session does a cease and there is
no damage except a temporary DoS.  Not also that the ACK sequence
number is part of the MD5.

Like I said this "attack" is a real stretch of the imagination.

For general IPSEC use it matters because inserting '\n rm -rf / \n'
(or equivalent depending on OS) into a telnet stream at almost any
time would be a bad thing.  For BGP a cease would occur and the damage
is limited to a DoS.

Curtis

_______________________________________________
Idr mailing list
Idr@ietf.org
https://www1.ietf.org/mailman/listinfo/idr

Follow-Ups:
- Re: [Idr] proposed additional text
  - From: Tony Li

References:
- RE: [Idr] proposed additional text
  - From: Naidu, Venkata

Prev by Date: Re: [Idr] proposed additional text
Next by Date: Re: [Idr] draft-chavali-bgp-prefixlimit-02.txt as an IDR WG document
Previous by thread: RE: [Idr] proposed additional text
Next by thread: Re: [Idr] proposed additional text
Index(es):
- Date
- Thread