4153 – New tcp initial send sequence number code

Bug 4153 - New tcp initial send sequence number code

Summary: New tcp initial send sequence number code

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	2.2.2-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	1997-07-24 00:50 UTC by Craig Leres
Modified:	2024-03-25 12:37 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
file.diff (5.41 KB, patch) 1997-07-24 00:50 UTC, Craig Leres	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Craig Leres freebsd_committer

1997-07-24 00:50:01 UTC

	The tcp iss number chosen by the 2.2.2-RELEASE kernel while
	an improvement over the constant increment version, it is
	still guessable. Although random() is used, the seed is
	not updated and so the pseudo random number sequence is
	essentially published.

Fix: The following context diffs use a 32 bit random number that
	is based on a seed that is not externally visible. (See
	the comments in tcp_new_iss() for a more detailed explaination.)
	While this version does technically violate the spec, it
	doesn't do so in a manner that will impact any current or
	future implementation. (We've been running a version of
	this code on our SunOS 4 systems since the early days of
	ip spoofing.)

+ rcsdiff -c tcp_input.c
RCS file: RCS/tcp_input.c,v
retrieving revision 1.2
How-To-Repeat: 
	While we haven't actually written the test program that
	guesses the next iss, given access to the kernel source it
	is only an exercise.

Comment 1 Garrett A. Wollman 1997-07-24 03:22:59 UTC

<<On Wed, 23 Jul 1997 16:49:14 -0700 (PDT), leres@ee.lbl.gov (Craig Leres) said:

> 	The following context diffs use a 32 bit random number that
> 	is based on a seed that is not externally visible. (See
> 	the comments in tcp_new_iss() for a more detailed explaination.)
> 	While this version does technically violate the spec, it
> 	doesn't do so in a manner that will impact any current or
> 	future implementation. (We've been running a version of
> 	this code on our SunOS 4 systems since the early days of
> 	ip spoofing.)

If you go to this extreme, you might as well just use the in-kernel
secure random number generator instead.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

Comment 2 Johan Karlsson freebsd_committer

2000-10-27 21:51:28 UTC

State Changed
From-To: open->feedback

I will close this instead with a proper close message.

Comment 3 Johan Karlsson freebsd_committer

2000-10-27 21:52:35 UTC

State Changed
From-To: feedback->closed

This has been made stronger in 2.2-STABEL, 3-STABEL, 4-STABEL and current. 

From the cvs log: 
Revision 1.81 / (download) - annotate - [select for diffs], Fri Sep 29 01:37:19 2000 UTC (4 weeks ago) by kris  
Branch: MAIN  
Changes since 1.80: +2 -2 lines 
Diff to previous 1.80 (unified) 

Use stronger random number generation for TCP_ISSINCR and tcp_iss. 

Reviewed by:    peter, jlemon

Comment 4 Thanos 2018-05-17 10:49:40 UTC

MARKED AS SPAM