[e2e] Receiving RST on a MD5 TCP connection.

Tapan Karwa tapankarwa at yahoo.com
Mon Jun 27 12:52:02 PDT 2005


Thanks alot, Mitesh. I think your draft sugggets
solutions to the attacK part of my question.

I am wondering if there is any consensus on how we
should deal with the problem mentioned in Section 4.1
of RFC 2385.

Thanks.

--- Mitesh Dalal <mdalal at cisco.com> wrote:

> refer to
>
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-03.txt
> 
> Although not a standard yet, it offers a reasonable
> mitigation.
> 
> Thanks
> Mitesh
> 
> On Mon, 27 Jun 2005, Tapan Karwa wrote:
> 
> > Hi,
> >
> > I was going through RFC 2385 - Protection of BGP
> > Sessions via the TCP MD5 Signature Option
> >
> > In Section 4.1, it mentions
> > "Similarly, resets generated by a TCP in response
> to
> > segments sent on a stale connection will also be
> > ignored. Operationally this can be a problem since
> > resets help BGP recover quickly from peer
> crashes."
> >
> > This can easily happen in the following scenario :
> > XX is talking to YY and both are using MD5. YY
> > suddenly reboots but XX does not know about it
> yet. XX
> > sends the next segment to YY with the MD5 digest
> but
> > YY does not recognize it and hence sends a RST. Of
> > course this RST segment does not have the MD5
> digest.
> >
> > Even when XX receives the RST, it wont/cant close
> the
> > connection since it will trash the packet as it
> does
> > not have the MD5 digest.
> >
> > I was wondering if there is any solution to this
> > problem. Will it be correct to accept the RST even
> if
> > the MD5 digest is missing ? If we do that, can
> that
> > open doors for some other attacks ?
> >
> > Thanks,
> > tapan.
> >
> >
> >
> >
> ____________________________________________________
> > Yahoo! Sports
> > Rekindle the Rivalries. Sign up for Fantasy
> Football
> > http://football.fantasysports.yahoo.com
> >
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail


More information about the end2end-interest mailing list