Re: Better than SYNcookies?

From: Alan Cox (alan@lxorguk.ukuu.org.uk)
Date: Mon Sep 25 2000 - 14:17:15 EST

Next message: Andrea Arcangeli: "Re: [patch] vmfixes-2.4.0-test9-B2 - fixing deadlocks"
Previous message: Alan Cox: "Re: the new VMt"
In reply to: Dan Hollis: "Better than SYNcookies?"
Next in thread: Joerg Pommnitz: "Re: Better than SYNcookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> So is he right, is his solution better than SYNcookies and there is
> something to be learned from his solution? Or does someone need to take
> him to school on the issue.

He isnt preserving the negotiated TCP MSS.

Other issues:

- If his ISN is the ip address then its a constant which is far worse than
random and also usable for replay attacks

[ie I dial up log the cookie, wait for you to get the same line - and I can
collect the dialup rack over time]

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: [patch] vmfixes-2.4.0-test9-B2 - fixing deadlocks"
Previous message: Alan Cox: "Re: the new VMt"
In reply to: Dan Hollis: "Better than SYNcookies?"
Next in thread: Joerg Pommnitz: "Re: Better than SYNcookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Sep 30 2000 - 21:00:16 EST