## On 2002-04-08 21:03 +0200 Mikael Olsson typed:
MO>
MO>
MO> > 2. Ditto ICMP without breaking unreachables, etc.
MO>
MO> I'm not quite following you here.
MO> Unless of course you're talking about a transparent proxy
MO> doing some ICMP error magic that I'm not familiar with,
MO> in which case you just invalidated your previous point :)
MO>
Why ICMP error magic ?
For example: How about path MTU Discovery with different MTU's on both
sides of the Firewall? (assuming of course that p-MTU works at all ;-)
MO>
MO>
MO> > 5. No need to worry about sequence number preditiction attacks for
MO> > thousands of clients, just one host.
MO>
MO> Hmm.. I realize that the following has a very real potential of making
MO> me look like a marketroid. I apologize for this up front; I just don't
MO> know of another example.
MO>
MO> We offset all sequence numbers by random numbers generated by
MO> the Yarrow PRNG. I'd say that this is an order of magnitude better
MO> than what general-purpose TCP/IP stacks in general do.
MO> (OTOH, maybe this isn't a very common think for SPFs to do.)
MO>
MO>
AFAIK the Cisco PIX will randomize TCP ISN numbers
What makes yours unique ?
Thanks,
Rafi
--
Rafi Sadowsky [EMAIL PROTECTED]
Network Operations Center | VoiceMail: +972-3-646-0592 FAX: +972-3-646-0454
ILAN - IUCC -I2(Israel) | FIRST-REP ILAN-CERT([EMAIL PROTECTED])
(Israeli Academic Network) | (PGP key -> ) http://telem.openu.ac.il/~rafi
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
