Well then, Mike,
I disagree with your thought process. You can send ICMP unreachables
all day long today! It only strengthens the protocol to send the
correct error messages and to respond to the protocol conditions
correctly.
Also, you have not responded by a valid technical question, but
are hand-waving... I'll ask again. How do you propose a hack
can do these three things at the same time.
(1) Know the state of a TCP connection (SYN_RCVD).
(2) Know the sequence number of the response,
(3) Know a random code in the identifier field,
(4) Know the both source and destination address of connection;
(5) Know the exact time window of the SYN-ACK/SYN-SYN handshake.
If you, Mike, can break this, and explain how do do it, then
we can add
(6) MD5 authentication to ICMP.
BTW, after you explain in detail how to spoof (1)-(5) then
I would like to ask you a favor....
I would appreciate it if you would not give credit to for
ICMP UNREACHABLE to me. ICMP UNREACHABLE errors are in specified
in RFC 793. Please 'redirect' this credit elsewhere. It is
not my original idea. All I am asking is for the procotcol
to work as designed so I can have one more piece of info
to use in an algorithm.
I await your technical reply on how to defeat the conditions
1-5 above, and if you can, then add 6 and explain how
do defeat that as well.
Somewhat Patiently (but anxiously awaiting technical answers),
Tim
Also, you have not responded by a valid technical question, but
are hand-waving... I'll ask again. How do you propose a hack
can do these three things at the same time.
This is not the right forum to discuss TCP internals nor is it the right
forum to discuss building hardened kernels
There are already lots of people working on fixing the SYN problems.
Implementations are available for SunOS, FreeBSD, NetBSD, BSDI, Linux,
IRIX and perhaps others. Solaris can be protected by adjusting kernel
resources with the ndd command. HP, SCO and others have announced that
they have teams working on a fix. Most firewall companies are working on a
solution for those sites protected by firewalls; two have announced
available products.
So what is it you are trying to do here? And why are you trying to do it
here of all places?
I would appreciate it if you would not give credit to for
ICMP UNREACHABLE to me. ICMP UNREACHABLE errors are in specified
in RFC 793. Please 'redirect' this credit elsewhere. It is
not my original idea.
OK, OK, OK, it was supposed to be a joke, a funny comment, a witticism.
All I am asking is for the procotcol
to work as designed so I can have one more piece of info
to use in an algorithm.
This is too much to ask for, IMHO.
Somewhat Patiently (but anxiously awaiting technical answers),
That's like sending an email to president@whitehouse.gov to tell him
that you are hungry and then waiting anxiously for the Domino's delivery
guy to knock at your door.
You would get much better response to your questions if you would send
a subscribe message to firewalls-request@greatcircle.com and ask there.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com