From: "Theodore Ts'o" <tytso@mit.edu>
To: Jean-Luc Cooke <jlcooke@certainkey.com>
Cc: James Morris <jmorris@redhat.com>,
"YOSHIFUJI Hideaki / ?$B5HF#1QL@" <yoshfuji@linux-ipv6.org>,
mludvig@suse.cz, cryptoapi@lists.logix.cz,
linux-kernel@vger.kernel.org, davem@redhat.com
Subject: Re: [PATCH]
Date: Mon, 9 Aug 2004 20:22:55 -0400 [thread overview]
Message-ID: <20040810002255.GA3556@thunk.org> (raw)
In-Reply-To: <20040809184951.GH2192@certainkey.com>
On Mon, Aug 09, 2004 at 02:49:51PM -0400, Jean-Luc Cooke wrote:
> The only parts we're proposing to replace are:
> - TCP sequence number generation (AES in CTR mode truncated to 32 bits, has
> period of 2^32 and cannot be easily determined from pervious sequences)
> I will read your reference and learn from the implementation in random.c
Nope, that's not sufficient. There's a reason why we're doing what
we're doing in random.c. To quote from RFC 1948:
The choice of initial sequence numbers for a connection is not
random. Rather, it must be chosen so as to minimize the probability
of old stale packets being accepted by new incarnations of the same
connection [6, Appendix A]. Furthermore, implementations of TCP
derived from 4.2BSD contain special code to deal with such
reincarnations when the server end of the original connection is
still in TIMEWAIT state [7, pp. 945]. Accordingly, SIMPLE
RANDOMIZATION, AS SUGGESTED IN [8], WILL NOT WORK WELL.
The F() as defined in RFC 1948, needs to be a crypto hash. But it
doesn't need to be a particularly strong hash. If it takes longer for
the attacker to break the hash than our rekey interval, that's
sufficient, since what we're protecting any kind of secrecy of the
data; we just need to prevent the attacker from guessing the initial
sequence number just long enough so that he can't hijack a TCP
connection. Hence the use of a cut-down MD4. It's kludgy, yeah, and
it smells of roll-your-own-crypto, granted, but I emphasize again that
(a) this was never considered very high protection; if you really care
about protecting against these sorts of attacks, you will be using
application-level crypto (i.e., ssh'ing to a Cisco box instead of
using an unencrypted telnet connection), and (b) using real crypto is
too slow, and was affecting Linux in various network benchmarks.
That's why it was changed from the original MD5 as suggested by
Bellovin in RFC 1948, to a cut-down MD4.
And we ***never*** were insane enough to use SHA, or suggest that the
use of SHA was a good idea in this particular application. I don't
know why some people had the assumption that SHA was ever used in TCP
sequence number generation, but they were wrong; that was never the
case.
- Ted
next prev parent reply other threads:[~2004-08-10 0:30 UTC|newest]
Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-05 13:51 [PATCH] Michal Ludvig
2004-08-05 14:11 ` [PATCH] James Morris
2004-08-05 19:49 ` [PATCH] Jean-Luc Cooke
2004-08-06 2:47 ` [PATCH] James Morris
2004-08-06 2:03 ` [PATCH] Michael Halcrow
2004-08-06 4:58 ` [PATCH] Linus Torvalds
2004-08-06 13:03 ` [PATCH] Jean-Luc Cooke
2004-08-06 3:36 ` [PATCH] YOSHIFUJI Hideaki / 吉藤英明
2004-08-06 4:21 ` [PATCH] David S. Miller
2004-08-06 4:28 ` [PATCH] Jean-Luc Cooke
2004-08-06 4:42 ` [PATCH] James Morris
2004-08-06 12:54 ` [PATCH] Jean-Luc Cooke
2004-08-06 18:26 ` [PATCH] David S. Miller
2004-08-06 18:36 ` [PATCH] Jean-Luc Cooke
2004-08-06 23:24 ` [PATCH] Matt Mackall
2004-08-07 3:01 ` [PATCH] Jean-Luc Cooke
2004-08-07 22:26 ` [PATCH] Theodore Ts'o
2004-08-08 15:38 ` [PATCH] Jean-Luc Cooke
2004-08-09 18:43 ` [PATCH] Theodore Ts'o
2004-08-09 18:49 ` [PATCH] Jean-Luc Cooke
2004-08-10 0:22 ` Theodore Ts'o [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-10-29 13:38 [PATCH] Dorine Tipo
2023-10-29 14:22 ` [PATCH] Julia Lawall
2022-02-02 21:26 [PATCH] Sergey Shtylyov
2019-04-12 15:15 trace-cmd fails with many cpus Steven Rostedt
2019-04-12 23:01 ` [PATCH] Slavomir Kaslev
2019-04-12 23:01 ` [PATCH] Slavomir Kaslev
2018-05-22 9:37 [PATCH] Fabrizio Castro
2018-05-24 7:24 ` [PATCH] Greg KH
2018-05-24 10:53 ` [PATCH] Fabrizio Castro
2017-11-30 8:10 [PATCH] Lu, Xinyu
2017-07-09 23:58 [PATCH] armetallica
2017-07-09 23:54 ` [PATCH] Kershner, David A
2017-07-09 23:35 [PATCH] armetallica
2017-07-09 23:35 ` [PATCH] armetallica
2017-07-20 15:06 ` [PATCH] Mauro Carvalho Chehab
2017-05-19 10:39 [PATCH] Andreas Herrmann
2017-05-27 8:46 ` [PATCH] Sitsofe Wheeler
2015-01-16 3:42 [patch] Carlos O'Donell
[not found] ` <54B8888F.4050403-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-01-16 3:43 ` [patch] Carlos O'Donell
[not found] ` <54B888D1.8050009-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-01-16 6:14 ` [patch] Michael Kerrisk (man-pages)
2013-12-24 15:45 [PATCH] Evan Hosseini
2014-01-09 18:27 ` [PATCH] Greg KH
2013-09-26 14:09 [PATCH net-next v3 0/3] bonding: modify the current and add new hash functions Nikolay Aleksandrov
2013-09-26 14:09 ` [PATCH net-next v3 1/3] flow_dissector: factor out the ports extraction in skb_flow_get_ports Nikolay Aleksandrov
2013-09-26 15:27 ` [PATCH] Eric Dumazet
2013-09-26 15:40 ` [PATCH] Nikolay Aleksandrov
2013-09-26 15:44 ` [PATCH] Nikolay Aleksandrov
2013-09-26 15:53 ` [PATCH] Eric Dumazet
[not found] <002b01ce1661$245ebb70$6d1c3250$@certicon.cz>
2013-03-01 10:28 ` [PATCH] Jan Pešta
2013-03-01 11:53 ` [PATCH] Matthieu Moy
2012-03-04 20:34 [PATCH] Stefan Richter
2012-03-04 20:36 ` [PATCH] Stefan Richter
2012-01-24 18:37 [PATCH] Alan Stern
2012-01-24 20:24 ` [PATCH] Greg KH
2011-08-11 21:29 [PATCH] Rafael J. Wysocki
2010-09-19 2:25 [PATCH] Junio C Hamano
2010-09-19 9:54 ` [PATCH] Sam Ravnborg
2010-09-19 18:21 ` [PATCH] Junio C Hamano
2010-09-19 19:31 ` [PATCH] Sam Ravnborg
2010-09-20 12:11 ` [PATCH] Michal Marek
2010-08-14 12:43 [PATCH] Sam Ravnborg
2010-08-14 12:43 ` [PATCH] Sam Ravnborg
2010-02-04 10:40 [PATCH] Zhigang Wang
2009-10-29 14:51 [PATCH] flinkdeldinky
2009-10-29 15:03 ` [PATCH] Jarod Wilson
2009-05-12 6:18 [PATCH] Johannes Berg
2009-04-07 16:20 [PATCH] Christoph Hellwig
2008-10-24 17:31 [PATCH]: Steve Dickson
[not found] ` <4902068D.2030201-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2008-10-31 20:39 ` [PATCH]: J. Bruce Fields
2008-11-03 13:51 ` [PATCH]: Steve Dickson
2008-10-15 7:03 [PATCH] Tim Shimmin
2008-10-15 12:43 ` [PATCH] Eric Sandeen
2008-07-24 0:22 [PATCH] Junio C Hamano
2008-06-24 8:13 [PATCH] Christoph Hellwig
2008-05-02 22:35 [PATCH] Johannes Berg
2008-04-04 21:37 [PATCH] Johannes Berg
2008-01-28 23:59 [PATCH] S.Çağlar Onur
[not found] ` <200801290159.41333.caglar-caicS1wCkhO6A22drWdTBw@public.gmane.org>
2008-01-29 13:12 ` [PATCH] Izik Eidus
[not found] ` <479F263E.2040105-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2008-01-29 15:58 ` [PATCH] S.Çağlar Onur
2008-01-17 2:58 [PATCH] Jiang zhe
2008-01-17 10:20 ` [PATCH] Takashi Iwai
2008-01-08 18:09 [PATCH] Ben Guthro
2007-12-03 15:54 [PATCH] Andries E. Brouwer
2007-12-03 17:06 ` [PATCH] Alan Cox
2007-11-15 22:03 [PATCH] Roel Kluin
2007-11-15 22:03 ` [PATCH] Roel Kluin
2007-09-14 20:26 [PATCH] Doug Merrill
2007-08-22 22:19 [PATCH] Alan Cox
2007-10-02 15:33 ` [PATCH] Jeff Garzik
2007-10-02 15:43 ` [PATCH] Alan Cox
2007-10-02 16:43 ` [PATCH] Jeff Garzik
2007-04-01 18:13 [PATCH 0/16] Assorted patches Jan Engelhardt
2007-04-01 18:15 ` [PATCH 07/16] kconfig-dynamic-frequency.diff Jan Engelhardt
2007-04-01 18:39 ` Kyle Moffett
2007-04-01 18:42 ` Jan Engelhardt
2007-04-01 18:52 ` Kyle Moffett
2007-04-01 19:01 ` Jan Engelhardt
2007-04-01 19:42 ` [PATCH] Kyle Moffett
2007-04-01 19:47 ` [PATCH] Jan Engelhardt
2007-04-01 20:07 ` [PATCH] Kyle Moffett
2007-04-01 23:03 ` [PATCH] Andi Kleen
2007-02-21 21:23 [PATCH] James Simmons
2007-02-21 21:23 ` [PATCH] James Simmons
2007-02-22 1:03 ` [PATCH] Antonino A. Daplas
2007-02-22 1:35 ` [Linux-fbdev-devel] [PATCH] James Simmons
2007-02-22 1:53 ` [PATCH] Antonino A. Daplas
2007-02-22 16:49 ` [PATCH] James Simmons
2007-01-26 17:19 [PATCH] Jens Osterkamp
2006-10-20 13:41 [PATCH] Jan Beulich
2006-07-15 18:43 [PATCH] Chris Boot
2006-03-24 23:07 [PATCH] Daniel Walker
2006-03-24 23:19 ` [PATCH] john stultz
2006-03-24 23:22 ` [PATCH] Daniel Walker
2006-03-10 14:47 [PATCH] Kumar Gala
2006-03-10 15:05 ` [PATCH] Kumar Gala
2006-02-22 11:33 [PATCH] Hagen Paul Pfeifer
2005-06-29 19:28 [PATCH] dann frazier
2005-06-15 11:41 [PATCH] Jan Beulich
2004-11-18 20:17 [PATCH] Colin Leroy
2004-11-04 13:30 [PATCH] Thomas Koeller
2004-08-10 2:49 [PATCH] Roland McGrath
2004-06-05 16:12 [patch] Luke Kenneth Casson Leighton
2004-06-06 8:14 ` [patch] Russell Coker
2004-06-06 10:48 ` [patch] Luke Kenneth Casson Leighton
2004-06-06 12:27 ` [patch] Russell Coker
2003-12-27 13:50 [PATCH] Bart De Schuymer
2003-11-13 0:39 [PATCH] Stephen Hemminger
2003-08-18 11:12 [PATCH] Mark Hemment
2003-08-18 22:58 ` [PATCH] Neil Brown
2003-08-11 13:40 [PATCH] davej
2003-07-30 16:31 [patch] Adrian Bunk
2003-07-30 16:31 ` [patch] Adrian Bunk
2003-07-08 22:16 [PATCH] Stephen Hemminger
2002-12-19 20:00 [PATCH]: Juan Quintela
2002-12-19 20:54 ` [PATCH]: Maciej W. Rozycki
2002-12-19 21:09 ` [PATCH]: Juan Quintela
2002-12-18 1:42 [PATCH]: Juan Quintela
2002-12-18 19:29 ` [PATCH]: Ralf Baechle
2002-12-18 21:41 ` [PATCH]: Juan Quintela
2002-12-18 22:35 ` [PATCH]: Ralf Baechle
2002-08-06 23:04 [PATCH] Paul Mackerras
2002-04-15 18:39 [PATCH] Andre Hedrick
2002-04-15 19:09 ` [PATCH] Josh McKinney
2002-04-15 19:16 ` [PATCH] Andre Hedrick
2002-04-15 19:59 ` [PATCH] Andre Hedrick
2002-04-16 3:11 ` [PATCH] Josh McKinney
2002-04-16 4:11 ` [PATCH] Andre Hedrick
2002-04-16 5:53 ` [PATCH] Jens Axboe
2002-04-16 6:51 ` [PATCH] Andre Hedrick
2002-04-16 6:54 ` [PATCH] Jens Axboe
2002-04-16 7:04 ` [PATCH] Andre Hedrick
2001-10-25 17:24 [PATCH] Christoph Hellwig
2001-08-20 14:42 [PATCH] Rik van Riel
2001-08-20 19:43 ` [PATCH] Marcelo Tosatti
2001-08-20 21:34 ` [PATCH] Rik van Riel
2001-08-15 17:35 [PATCH] Ben LaHaise
2001-08-15 17:40 ` [PATCH] Linus Torvalds
2001-08-15 17:53 ` [PATCH] Ben LaHaise
2001-08-15 18:26 ` [PATCH] Daniel Phillips
2000-11-07 23:20 [PATCH] Bartlomiej Zolnierkiewicz
2000-11-07 23:09 [PATCH] Bartlomiej Zolnierkiewicz
2000-11-07 23:30 ` [PATCH] Bartlomiej Zolnierkiewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040810002255.GA3556@thunk.org \
--to=tytso@mit.edu \
--cc=cryptoapi@lists.logix.cz \
--cc=davem@redhat.com \
--cc=jlcooke@certainkey.com \
--cc=jmorris@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mludvig@suse.cz \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.