On Wed, 28 Nov 2007, Darden, Patrick S. wrote:

> Hey Darren,
> A few of my emails didn't make it to the list. The below
> missive doesn't make much sense since it references
> "all the reasons I have outlined before".

The list is still moderated, and the moderator approves some stuff
immediately, mulls over others, discards some and rejects others. Since
the list has always been moderated I'm not sure why folks aren't
remembering this...

> Here is most relevant missing email:
> It depends on the MITM exploit. If you just want to monitor
> a stream of traffic, then you are correct. If, however, you
> want to hijack the conversation it can be more difficult:

You're assuming a blind attack, a very dangerous assumption. Even with a
blind attack, you're assuming that (a) the attacker's prediction efforts
are stymied by hard-to-predict sequence numbers and (b) the attacker
(or defender) lacking enough bandwidth to brute force the sequence number
or the likey sequence number space.

In the case of (a) while the research has held up non-predictability in
many modern stacks we really don't know if the results for a particular
set of hardware and software are predictable given some additional data
like platform, OS and initial boot time, other connections to the same
stack, etc.

> TCP Sequence number included in the packet header. This number is
> changed for every packet by a prearranged formula, decided on during the
> TCP handshake stage.

"Prearranged formula decided on during the TCP handshake?"

Wanna show me where in the TCP spec there's some forumla negotiation?
AFAIR the spec (RFC793) handles the progression of ISN+1 and SND.NXT and
RCV.NXT in the specification not the handshake, what am I missing?

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Art: http://PaulDRobertson.imagekind.com/

firewall-wizards mailing list