RE: Details on TCP sequence numbers (RE: C API: minor comments)

[Harald Tveit Alvestrand <Harald@Alvestrand.no>]

At 09:49 16.11.99 -0800, Paul Leach (Exchange) wrote:

> As I said before, I was concerned in the LDAP/UDP case -- not yet a 
> standard, but there was support for progressing it at the last IETF.
>
> In that case, and for anonymous access, and assuming that the attacker has 
> a good idea what requests are going to look like, then it is possible to 
> inject bogus responses, or even bogus requests, without being able to see 
> the traffic. The TCP example was intended to be analagous, not identical 
> -- I was using it as an illustration of the technique -- clearly attackers 
> have a much better idea of what SYN packets look like than what the first 
> LDAP request will look like.

Assuming that there will be no authentication in CLDAP, and that it will be 
used to access or change non-public information?

> Using random initial sequence numbers seems a small price to pay to avoid 
> worries. It is very hard to predict the consequences of having such a 
> vulnerability.

For unauthenticated CLDAP - yes.

I still say it does not matter in the present batch of specs.

                      Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no