Original message:
>Hello,
>There were some discussion (if you could call it that) several weeks ago on
>the OSF1/Digital Unix/Tru64UNIX manager's list refering to the fact that
>v4.0E uses constant TCP sequence numbers. Not being a TCP expert, I was
>wondering about what the conventional wisdom is with respect to constant
>sequence numbers and security, and how much of a problem that is. I am
>looking for opinions of those more enlightened than myself. As I understand
>it (which I don't claim is much), this could/would facilitate such things as
>IP spoofing or perhaps even worse stuff. I don't have anything running 4.0E
>yet (hence the lack of panic in my voice as I ask), but am considering a
>purchase of a new machine that would have to run it (4.0E is required if you
>want the new alpha EV6 processor), so I'd like some advance warning, if
>possible.
>
>
>Any info about whether constant sequence numbers are a problem, general info
>on the ramifications, etc. would be greatly appreciated.
>
>Feel free to respond to the list, or reply directly to me, and I'll
>summarize for the list.
>
>thanks,
> -- - keith
Responses from:
Joerg Czeranski
Richard Sharpe
Joe Fletcher
Some confusion may have resulted from my talking about "constant TCP
sequence numbers" when the I should have been talking about constant TCP
*initial* sequence numbers, thereby confirming my status as a TCP non-expert.
There was some disagreement about whether 4.0E was really using constant
initial sequence numbers (ISNs). Some disagreement was based upon tcpdump
output, and some was based on "they couldn't really be doing that, could
they?" I was basing my info on the output of nmap (running from a remote
linux box) which said the one test machine running 4.0E had constant ISNs,
where all my 4.0B/4.0D boxes did not.
However, it seems pretty obvious that there is a problem with the ISNs,
since there is a security patch at www.service.digital.com for 4.0E with
ref number:
SSRT0595U "TCP Initial Sequence Number"
The patch is called v40e_mup01.tar . Not surprisingly, it requires a
kernel rebuild. It appears to have been out since 3/1, but I wasn't
watching that carefully, since I don't have anything vulnerable yet (the
4.0E test box is not very trusting).
The bit of info I got about the bad stuff that could happen with constant
ISNs pretty much corresponded to my guesses. Constant ISNs are not a good
thing.
Thanks for the quick responses.
-- - keith
--
Keith Piepho kap_at_uakron.edu
Technical Services (330) 972-6130
The University of Akron
Received on Fri Mar 05 1999 - 14:34:52 NZDT