Hi Jim, Here’s the patch [1].
Regards, Florin [1] https://gerrit.fd.io/r/#/c/16675/ > On Dec 29, 2018, at 10:59 PM, Florin Coras via Lists.Fd.Io > <fcoras.lists=gmail....@lists.fd.io> wrote: > > > >> On Dec 29, 2018, at 8:26 PM, Jim Thompson <j...@netgate.com> wrote: >> >> >> >>> On Dec 29, 2018, at 6:42 PM, Florin Coras <fcoras.li...@gmail.com> wrote: >>> >>> Hi Jim, >>> >>> That has to do with the initial sequence number generation. >> >> Understood. Thus the title of "Defending against Sequence Number Attacks" >> >>> We don’t exactly implement that algorithm but we do generate the initial >>> sequence number randomly based on time. >> >> Understood. Currently we do: >> >> tc->iss = random_u32 (&time_now); > > Yup. > >> >> in tcp_init_snd_vars(), but I’m not sure that’s not a RFC violation. Quoting: >> >> "If random numbers are used as the sole source of the secret, they MUST be >> chosen in accordance with the recommendations given in RFC4086.” >> >> If it isn’t, fine. If it is, then the question becomes: "Would adding a 4 >> usec timer be harmful to the host stack?" >> >> From inspection it looks like all the other data to call the RFC-recommended >> >> tc->iss = M + F (localip, localport, remoteip, remoteport, secretkey) >> >> is present. (Where M is the current value of that 4 usec timer, F is MD5, >> and secretkey is some value we pick up or generate during VPP startup.) > > We could just use vlib time for that. I’ll add it to my list, in case nobody > beats me to it. > > Florin > >> >> Jim >> >>> >>> Florin >>> >>>> On Dec 29, 2018, at 12:42 PM, Jim Thompson <j...@netgate.com> wrote: >>>> >>>> >>>> Florian, >>>> >>>> Maybe he wants RFC 6528. >>>> >>>> Jim >>>> >>>>> On Dec 29, 2018, at 10:59 AM, Florin Coras <fcoras.li...@gmail.com> wrote: >>>>> >>>>> Hi Brayan, >>>>> >>>>> I’m not entirely sure I understand your question. Obviously, we have >>>>> sequence validation in tcp as per rfc 793. For details, see >>>>> tcp_segment_validate in tcp_input.c. As part of that function, we also >>>>> check for paws as per rfc 1323/7323. >>>>> >>>>> Hope this helps, >>>>> Florin >>>>> >>>>>> On Dec 29, 2018, at 5:29 AM, brayan ortega <brayan.ortega6...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Dear VPP Folks, >>>>>> >>>>>> I would like to know about sequence number checking functionality. Is >>>>>> this functionality implemented already? >>>>>> 1- If yes: Guide me about that >>>>>> 2- If no : Is there any plan for sequence number checking >>>>>> implementation? it seems it is essential to prevent sequence number >>>>>> prediction attacks. >>>>>> >>>>>> Best Regards, >>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>>> Links: You receive all messages sent to this group. >>>>>> >>>>>> View/Reply Online (#11795): https://lists.fd.io/g/vpp-dev/message/11795 >>>>>> Mute This Topic: https://lists.fd.io/mt/28880091/675152 >>>>>> Group Owner: vpp-dev+ow...@lists.fd.io >>>>>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub >>>>>> [fcoras.li...@gmail.com] >>>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>> >>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>> Links: You receive all messages sent to this group. >>>>> >>>>> View/Reply Online (#11796): https://lists.fd.io/g/vpp-dev/message/11796 >>>>> Mute This Topic: https://lists.fd.io/mt/28880091/675164 >>>>> Group Owner: vpp-dev+ow...@lists.fd.io >>>>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [j...@netgate.com] >>>>> -=-=-=-=-=-=-=-=-=-=-=- >>> >> > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#11800): https://lists.fd.io/g/vpp-dev/message/11800 > <https://lists.fd.io/g/vpp-dev/message/11800> > Mute This Topic: https://lists.fd.io/mt/28880091/675152 > <https://lists.fd.io/mt/28880091/675152> > Group Owner: vpp-dev+ow...@lists.fd.io <mailto:vpp-dev+ow...@lists.fd.io> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub > <https://lists.fd.io/g/vpp-dev/unsub> [fcoras.li...@gmail.com > <mailto:fcoras.li...@gmail.com>] > -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11820): https://lists.fd.io/g/vpp-dev/message/11820 Mute This Topic: https://lists.fd.io/mt/28880091/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
