From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:49:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 717B19E4 for ; Tue, 16 Sep 2014 13:49:10 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40FE1F7C for ; Tue, 16 Sep 2014 13:49:09 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by gateway2.nyi.internal (Postfix) with ESMTP id 67690150C for ; Tue, 16 Sep 2014 09:49:08 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Tue, 16 Sep 2014 09:49:08 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=mQ2Gg+975QN8AXU+cppJQ5DK9kk=; b=Zil K33vopJIrc6ikDHW3sRNsCiWTTV6RLMOGAS3gFyI0X+ppHwq4dX/jzHKLjydyxzg raTFSQqKINKgtq4M3FytR6tE3Dws0it4dx7t51JIZIppHWsr5DxP8fnw5ZpyngM/ tEceaDyVOj61egbmu/0yFaUrdDsAH3gI+gJD5QMg= Received: by web3.nyi.internal (Postfix, from userid 99) id 2CD691843B9; Tue, 16 Sep 2014 09:49:08 -0400 (EDT) Message-Id: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> X-Sasl-Enc: bLv1Vbmpu4kZ/mLY8l66QGTOSCXpxUiMzoz18ev5DTmo 1410875348 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-0646565c In-Reply-To: <44y4tjwvlm.fsf@lowell-desk.lan> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Date: Tue, 16 Sep 2014 08:49:08 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:49:10 -0000 On Tue, Sep 16, 2014, at 08:20, Lowell Gilbert wrote: > > Spoofing traffic is pretty easy. The reason it isn't generally a problem > is that knowing what to spoof is more difficult. [I assume that's what > feld@ actually meant, but it's an important distinction.] > How many AS are out there don't implement BCP38? Spoofing these days without MITM should be considered hard, and TCP even harder, no? I'd find it more believable that it's easier to hijack BGP than to target someone and successfully spoof TCP. Maybe I'm just naive and haven't seen this behavior in the wild during my time working at an ISP :-)