From: Christian Grothoff <christian@grothoff.org>
To: Daniel Borkmann <dborkman@redhat.com>,
Julian Kirsch <kirschju@sec.in.tum.de>
Cc: netdev@vger.kernel.org, Jacob Appelbaum <jacob@appelbaum.net>,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [PATCH] TCP: Add support for TCP Stealth
Date: Thu, 01 Jan 2015 16:32:16 +0100 [thread overview]
Message-ID: <54A56880.6040802@grothoff.org> (raw)
In-Reply-To: <54A566F2.4070401@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 783 bytes --]
Dear Daniel,
That approach is highly vulnerable to timing attacks, and doesn't answer
how TCP clients without special capabilities could set the ISN correctly
either. Playing with raw sockets is the kind of geeky hack that is
unlikely to give us the combination of usability and security required
to significantly reduce the ongoing large-scale compromise of network
equipment by spy agencies.
Christian
On 01/01/2015 04:25 PM, Daniel Borkmann wrote:
>
> /me wondering (haven't tried that though) ... have you considered f.e.
> building a library using a raw packet socket with a BPF filter to capture
> SYN packets and then TCP_REPAIR [1] to build a full-blown TCP socket out
> of it in case of a correct authentication from the ISN?
>
> Thanks,
> Daniel
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2015-01-01 15:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-31 21:54 [PATCH] TCP: Add support for TCP Stealth Julian Kirsch
2015-01-01 15:25 ` Daniel Borkmann
2015-01-01 15:32 ` Christian Grothoff [this message]
2015-01-02 12:50 ` Daniel Borkmann
2015-01-02 14:06 ` Christian Grothoff
2015-01-01 19:06 ` Stephen Hemminger
2015-01-01 19:10 ` Stephen Hemminger
2015-01-01 23:31 ` Julian Kirsch
2015-01-02 10:36 ` Hagen Paul Pfeifer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A56880.6040802@grothoff.org \
--to=christian@grothoff.org \
--cc=dborkman@redhat.com \
--cc=jacob@appelbaum.net \
--cc=kirschju@sec.in.tum.de \
--cc=netdev@vger.kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).