Hi, all,
The following I-D is soon to appear in the drafts directory; until then,
here is the title and abstract, and it is available now at:
http://www.isi.edu/touch/pubs/draft-touch-anonsec-00.txt
At this time, I'm soliciting discussion and feedback on both TCPM and
IPsec mailing lists, where discussion of the issues of IPsec have been
ongoing. I track both lists; please do NOT cross-post. I'll
cross-summarize periodically if it proves necessary.
I'd also like to solicit input on in which WG to proceed.
Joe
----
ANONsec: Anonymous IPsec to Defend Against Spoofing Attacks
draft-touch-anonsec
Recent attacks on core Internet infrastructure indicate an increased
vulnerability of TCP connections to spurious resets (RSTs). TCP has
always been susceptible to such RST spoof attacks, which were
indirectly protected by checking that the RST sequence number was
inside the current receive window, as well as via the obfuscation of
TCP endpoint and port numbers. For pairs of well-known endpoints
often over predictable port pairs, such as BGP, increases in the path
bandwidth-delay product of a connection have sufficiently increased
the receive window space that off-path third parties can guess a
viable RST sequence number. This document addresses this
vulnerability, discussing proposed solutions at the transport level
and their inherent challenges, as well as existing network level
solutions and the feasibility of their deployment. Finally, it
proposes an extension to IPsec configuration called ANONsec that
intends to efficiently and scalably secure any transport protocol
from such off-path third-party spoofing attacks.
----
Attachment:
signature.asc
Description: OpenPGP digital signature