Date: Tue, 11 Apr 1995 07:04:17 -0400 (EDT) From: Denis Fortin <fortin@zap.zap.qc.ca> To: brians@protools.com (Brian Smith) Cc: freebsd-questions@wcarchive.cdrom.com Subject: Re: Does BSD implement TCP/IP incorrectly? Message-ID: <199504111104.HAA01578@zap.zap.qc.ca> In-Reply-To: <9504101732.AA16157@dot.protools.com> from "Brian Smith" at Apr 10, 95 10:32:15 am
next in thread | previous in thread | raw e-mail | index | archive | help
> Although IP spoofing sounds like a new technique, it has actually > been recognized and openly discussed for years. There are special > provisions in the TCP/IP (Transmission Control Protocol/Internet > Protocol) standard used by the Internet that are designed to make > IP spoofing difficult. The problem is that the IP stack distri- > buted with Berkeley Unix (and now used by most of the computer > industry) doesn't implement the TCP/IP correctly. > > I have read the IP, UDP, and TCP RFC's and cannot recall any chunks of > functionality missing in BSD TCP/IP implementation relevant to IP spoofing. As far as I know, it has to do with the datagram sequence numbers used in TCP connections. BSD TCP/IP always starts the sequence number at 1 (thereby making it relatively easy to guess that within a few moments of a connection, the number will be 2, 3, 4, etc.) If I recall properly, the relevant RFCs specify that these numbers are supposed to be randomly chosen. Always picking "1" can probably be construed as being somewhat predictable and less that random (!). Now, I'm quoting all of this from memory, so any TCP/IP gurus out there are welcome to jump in and correct me! > Face it: Unix sucks. > > I really can't agree with him on his conclusion about releasing UNIX :), Well, Unix sucks, yes. TCP/IP also sucks. C sucks, and C++ is worse. VHS also sucks when compared to Beta! On the other hand, their ubiquitousness (!?) make them about the only valid choices for a wide range of applications that require interoperability and/or portability. Few people are proposing these days that you should get the machines in your office set up using the OSI suite. Heck, governments are even amending their GOSIP to allow for TCP/IP. The only thing you can really do for security is to try to make sure that you do not become dependent on connections to the outside world for your day-to-day operations (i.e. that your portion of the Internet can run in isolation). You should also try to be "security conscious" (set-up a firewall, monitor any possible attacks, etc.) Anyway, off of the soapbox for now, I've got to put out the garbage :-) -- Denis Fortin fortin@acm.org DMR Group Inc, (514) 877-3301 These opinions are my own
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504111104.HAA01578>