[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Details on TCP sequence numbers (RE: C API: minor comments)
- To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, "'Kurt D. Zeilenga'" <kurt@boolean.net>, Mark Wahl <M.Wahl@INNOSOFT.COM>
- Subject: RE: Details on TCP sequence numbers (RE: C API: minor comments)
- From: Harald Tveit Alvestrand <Harald@Alvestrand.no>
- Date: Tue, 16 Nov 1999 19:55:53 -0500
- Cc: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, mcs@netscape.com, howes@yahoo.com, "Andy Herron (Exchange)" <andyhe@Exchange.Microsoft.com>, "Anoop Anantha (Exchange)" <anoopa@Exchange.Microsoft.com>, kurt@OpenLDAP.Org, ietf-ldapext@netscape.com
- In-reply-to: <19398D273324D3118A2B0008C7E9A569051BEAB5@SIT.platinum.corp.microsoft.com>
- Resent-date: Tue, 16 Nov 1999 11:58:05 -0800 (PST)
- Resent-from: ietf-ldapext@netscape.com
- Resent-message-id: <"g2BX0.A.ji.EdbM4"@glacier>
- Resent-sender: ietf-ldapext-request@netscape.com
At 09:49 16.11.99 -0800, Paul Leach (Exchange) wrote:
As I said before, I was concerned in the LDAP/UDP case -- not yet a
standard, but there was support for progressing it at the last IETF.
In that case, and for anonymous access, and assuming that the attacker has
a good idea what requests are going to look like, then it is possible to
inject bogus responses, or even bogus requests, without being able to see
the traffic. The TCP example was intended to be analagous, not identical
-- I was using it as an illustration of the technique -- clearly attackers
have a much better idea of what SYN packets look like than what the first
LDAP request will look like.
Assuming that there will be no authentication in CLDAP, and that it will be
used to access or change non-public information?
Using random initial sequence numbers seems a small price to pay to avoid
worries. It is very hard to predict the consequences of having such a
vulnerability.
For unauthenticated CLDAP - yes.
I still say it does not matter in the present batch of specs.
Harald
--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no