RE: Transmission Control Protocol (TCP) vulnerability ???

From: HP-France,ex2 ("SANCHEZ-MONGE,ANTONIO)
Date: Wed Apr 21 2004 - 15:49:47 GMT-3

• Next message: sustundag@secura.com.tr: "OT:Cisco IPsec VPN Implementation Group Password Usage"
• Previous message: HP-France,ex2: "RE: atm ilmi-keepalive"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: Jim Devane: "RE: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Paul,

The original Cert advisory says the authentication takes place in the TCP
header:

" To protect against such injections, RFC 2385 provides a method of using
MD5 signatures on the TCP Headers. If this form of verification is supported
and enabled between two peers, then an attacker would have to obtain the key
used to transmit the packet in order to successfully inject a packet into
the TCP session. Another alternative would be to tunnel BGP over IPSec.
Again, this would provide a form of authentication between the BGP peers and
the data that they transmit. The lack of authentication when using TCP for
BGP makes this type of attack more viable."

Even though the configuration is at the BGP level, the hash is at the TCP
level.

Cheers,
Ato.

-----Original Message-----
From: Paul Borghese [mailto:pborghese@groupstudy.com]
Sent: miircoles, 21 de abril de 2004 20:43
To: 'Armand D'; ccielab@groupstudy.com
Subject: RE: Transmission Control Protocol (TCP) vulnerability ???

I have been studying the vulnerability with relation to how it effects BGP
sessions. In a nutshell, the hacker sends a TCP RST message thus
terminating the BGP neighbor relationship. This causes the routes to be
removed from the BGP table. Do this a few times and (assuming you have
route dampening enabled) the routes are placed in a dampened state. The
hacker must guess the TCP Sequence number (or be close based upon the
windowing size).

Cisco's workaround is to simply use BGP authentication. While I do not
doubt Cisco has tested this and it works, I do not understand why it will
work. BGP is transported as data that rides over TCP/IP (port 179). Why
would authenticating application layer data prevent the TCP session from
being reset? The authentication is taking place at a higher layer then
layer 4.

Any opinions? Howard?

Take care,

Paul Borghese

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Armand D
Sent: Wednesday, April 21, 2004 1:51 PM
To: ccielab@groupstudy.com
Subject: Transmission Control Protocol (TCP) vulnerability ???

Hi,

I'm wondering what anyone thinks about the latest
vulnerability (TCP) specification ? What precautions
are people taking if any at this point ?

Thanks,

Armand

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com

• Next message: sustundag@secura.com.tr: "OT:Cisco IPsec VPN Implementation Group Password Usage"
• Previous message: HP-France,ex2: "RE: atm ilmi-keepalive"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: Jim Devane: "RE: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3