To the best of my knowledge, TCPINC cannot protect against packet injection attacks by attackers who have complete control of the network because they can just force you not to negotiate TCPINC. That's a basic property of it being opportunistic, and you'd need preconfiguration, some sort of secure advertisement, pinning, or the like to prevent it.
The best that I know how to arrange is that if the attacker is not present and interfering with the initial handshake that subsequent packet injections are not possible. -Ekr On Sun, Apr 26, 2015 at 11:36 AM, Christian Huitema <[email protected]> wrote: > > An attack on TCP/TLS has now been detected at broad scale, and traced > > back to the bug responsible (client-side Heartbleed) and the probable > > attacker (agency with massive pipe access, e.g. NSA). > > > > This attack more fully informs the reason for the existence of the > > group. It less directly informs the technical solutions, and indeed > > might just cause confusion as there is room for both sides to claim "I > > told you so!" :) > > +1. > > What is the value of TCP-INC if it cannot defend against packet injection > attacks? > > -- Christian Huitema > > > > > > > > > > http://cryptome.org/2015/04/goodcrypto-attacked.htm > > > > ... In early 2015 people were still downloading our ISO file for > > GoodCrypto. But suddenly installations stopped. > > > > After a lot of checking we noticed that the downloads got HTTP 200 > > result codes, but the lengths were all too short. This isn't supposed to > > happen. A 200 result means success. These weren't successful downloads, > > but the web logs said they were. Ordinary log checks didn't show the > > bug. ... > > > > _______________________________________________ > > Tcpinc mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/tcpinc > > _______________________________________________ > Tcpinc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tcpinc >
_______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
