Improving TCP's Robustness to Blind In-Window Attacks
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: Internet Architecture Board <firstname.lastname@example.org>, RFC Editor <email@example.com>, tcpm mailing list <firstname.lastname@example.org>, tcpm chair <email@example.com> Subject: Protocol Action: 'Improving TCP's Robustness to Blind In-Window Attacks' to Proposed Standard The IESG has approved the following document: - 'Improving TCP's Robustness to Blind In-Window Attacks ' <draft-ietf-tcpm-tcpsecure-13.txt> as a Proposed Standard This document is the product of the TCP Maintenance and Minor Extensions Working Group. The IESG contact person is Lars Eggert. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-13.txt
Technical Summary: This document examines the fact that long term TCP connections that have well known source and destination addresses are vulnerable to attack by the injection of bogus RST, SYN or data packets by guessing sequence numbers that fall into the current window of the connection. It provides three mitigation strategies that can be used to reduce the chance that an attacker can be successful with these spoofed segments. Working Group Summary The working group saw that there was a fair amount of experience with these mitigation strategies; two of them are very simple, and one is a bit more involved. The WG felt that this document is a SHOULD for devices that are susceptible to these types of attacks, and a MAY for other implementations. These changes are not needed for correct TCP operation, but reduce the chance that a spoofed packet will be accepted as valid. Document Quality The document was reviewed for quality by a fair number of TCPM WG members. There already exist several implementations of these strategies, and there are not any known interoperability issues with TCP implementations that do not have these changes. Personnel David Borman (firstname.lastname@example.org) is the document shepherd. Lars Eggert (email@example.com) reviewed the document for the IESG.