>Um, if the "predictable IP ID's" under discussion is the "TESO SEcurity
>Advisonary" talking about the Linux Kernel 2.2.x ISN Vulernerability,
>this is fixed already in the latest pre-2.2 kernel issued by Alan (I
>believe; Alan, you did get this both into the ac kernels and the pre-2.2
>kernel seriesl, right?) The problem is that the secret used in
>secure_tcp_sequence_number isn't getting initialized correctly, due to a
>type problem in get_random_bytes(). We should try the simple fix before
>we start talking about extreme measures such as installing AVL trees. :-)
The issue AVL related is not related to the sequence numbers.
There was two TCP sequence number bugs in 2.2.x and 2.3.x just fixed in
2.2.13pre14 (one was the known secret, the other one was the use of the
source/dest pair of the listening socket instead of the data in the skb
buffer relative to the sock that is going to be in the
enstablished state).
The ID issue instead is not related to TCP but it's an IP issue (ID is
identification number and it lives in the IP domain). It's a number that
right now is increased by 1 for each packet sent out on the network (it's
used to be sure to defragment the right packet from their fragments that
must have the same IP ID).
> if (!rekey_time || (tv.tv_sec - rekey_time) > REKEY_INTERVAL) {
> rekey_time = tv.tv_sec;
> /* First three words are overwritten below. */
>- get_random_bytes(&secret+3, sizeof(secret)-12);
>+ get_random_bytes(&secret[3], sizeof(secret)-12);
> count = (tv.tv_sec/REKEY_INTERVAL) << HASH_BITS;
> }
Yes, this was one problem of course. With the random part of the secret
known an attacker could guess the sequence number in the syn-ack even with
Alexey's fix applyed...
Andrea
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/