From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 17:10:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B32EBEC9 for ; Tue, 16 Sep 2014 17:10:10 +0000 (UTC) Received: from mail-la0-f47.google.com (mail-la0-f47.google.com [209.85.215.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DEAFD19 for ; Tue, 16 Sep 2014 17:10:09 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id mc6so209923lab.34 for ; Tue, 16 Sep 2014 10:10:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ro9kR7myck29FXzWWQ2C7zYa2a8Y2kybSo2pvLuNmNw=; b=YK/VZWEf62CRGT3BmVJ/Z+7YRC2GUArVKxU5gSx+KVhQv2AtJ4uiM2qhyotj1H01kA /KmxF1heG50xdd9T6JOvXVjlkB8fC9tjuEDtY63d+DgduBX3ZPff2GgowkEIvn+ozIf9 coP8YR8Ru1Pl+YbkfQwWOKtzm6+feBQGey4oJb5wAJ2uh54MTcU3XnHJ6MJ4HFiyw4CX vlnCh3DF1ALKE0FXmaMBhvOELOKqSYhEvcUjleoSPjodtIpkPNg7KDOYKj7tKomB4AK6 kZ/a2FQAuIZisCUMNN4h8c4Qzu+F7Lj+JH1TA2+iLvqGaO2aqTnhvuw3bmZEDKhxkSPd 0pDQ== X-Gm-Message-State: ALoCoQmLVo/Xf9uicuFqdElvrKN8K1ey3qb3Un440upFUK08NLbptDIkjdgzUpuhqgM/eWKFqttz X-Received: by 10.112.219.71 with SMTP id pm7mr36115835lbc.3.1410887407562; Tue, 16 Sep 2014 10:10:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.35.137 with HTTP; Tue, 16 Sep 2014 10:09:26 -0700 (PDT) X-Originating-IP: [96.3.203.126] In-Reply-To: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> From: Leif Pedersen Date: Tue, 16 Sep 2014 12:09:26 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp To: Mark Felder Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 17:10:10 -0000 On Tue, Sep 16, 2014 at 8:49 AM, Mark Felder wrote: > > How many AS are out there don't implement BCP38? Spoofing these days > without MITM should be considered hard, and TCP even harder, no? I'd > find it more believable that it's easier to hijack BGP than to target > someone and successfully spoof TCP. > > Maybe I'm just naive and haven't seen this behavior in the wild during > my time working at an ISP :-) > > Between work and home, I have access to three internet connections from different ISPs. None stop me from sourcing packets from arbitrary addresses. For example, if I use "ifconfig xx0 alias 1.1.1.1/32; ping -S 1.1.1.1 " and use tcpdump on , I see the traffic with the source address 1.1.1.1. I have no special arrangements; just typical commodity service. So there are at least three ISPs serving my area that don't prevent IP spoofing. -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig