[e2e] where to put endpoint authentication?
touch at ISI.EDU
Fri May 7 11:24:29 PDT 2004
The IETF TCPM mailing list has been discussing recent TCP RST spoofing
attacks on BGP and how best to prevent those attacks.
I recently posted an Internet Draft that summarizes the issues, for
During the writing of this draft, a question arose regarding the role of
TCP's sequence number in authentication, and where best to place
endpoint authentication. (see sections 3.1 and 4.1 in particular).
The question might be useful to raise here:
1) should sequence numbers be used for authentication?
IMO, the sequence space is primarily for:
1. receiver reordering
2. congestion control
3. duplicate detection
TCP drops segments outside the receive window
primarily, IMO, to discard stale segments
draft-tcpm-tcpsecure narrows the valid receive
window for RST segments (allowing them only
at the end of the current receive window),
primarily to protect against off-path RST
there have been previous suggestions to increase
the TCP sequence space to 64 bits, being revisited
to see if the additional 32 bits can provide the
equivalent of a segment 'cookie'
2) do transport protocols need authentication?
current transport authentication - cookies, MD5
signatures, etc., protect against off-path spoofing
such spoofing relies on forgery of several values:
- IP source/dest addresses
- TCP ports/sequence numbers
such attacks can be considered either:
- primarily network forgery
- forgery at both network and transport layers
where is protection more appropriate/useful?
- network (IMO)
- both are needed
3) are cookies reasonable authentication for transport layers?
Thoughts, either privately or to this list, appreciated. Additional
comments have been circulating on the IETF TCPM, IPsec, and MOBIKE
mailing lists, FYI.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20040507/c97be6c8/signature.bin
More information about the end2end-interest