In message <20000428095254.A875@xxxxxxxxxxx> you write:
> On Fri, Apr 28, 2000 at 04:10:55AM +0200, Rusty Russell wrote:
> > window tracking as per ipfilter, and then I can be more confident that
> > a real three-way handshake has occurred, and set a high-confidence bit
> > for that connection.
>
> It is still hard when you consider reboots. The 3way handshake is long gone.
> Simply checking for an ACK from inside is not enough, because TCP generally
> acks all out of window packets (so it would be easy to fool from an attacker
> who guesses ports) On other connections you'll only see legitimate ACKs
> from one end, so checking for more than just an ack doesn't work neither.
> How do you plan to handle that problem?
I could stop reading mail from you, so I remain ignorant? 8)
You *could* figure out retroactively that the prior packet was
out-of-window (handwave). But it's probably easier to live with the
fact that connections tracked across reboots won't have the
`DONT_KILL_ME_IM_A_GENUINE_CONNECTION' bit set, meaning they'll be
the first up against the wall if we're under stress.
No connection tracking will be perfect. No NAPT will be perfect,
either. Both are protocol perversions.
Rusty.
--
Hacking time.
|