One more thing:
On 31-aug-2005, at 0:55, Ned Freed wrote:
Section 2.4 discusses use of TCP for LLMNR queries and
responses. In
composing an LLMNR query using TCP, the sender MUST set the
Hop Limit
field in the IPv6 header and the TTL field in the IPv4 header
of the
response to one (1). The responder SHOULD set the TTL or Hop
Limit
settings on the TCP listen socket to one (1) so that SYN-ACK
packets
will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
prevents an incoming connection from off-link since the sender
will
not receive a SYN-ACK from the responder.
I've heard reports in the past that attackers were able to spoof
their end of a TCP session without being able to see return traffic.
Obviously this is very hard to do if the TCP implementation uses
enough randomness in its initial sequence numbers, but nonetheless it
seems prudent to make it possible for the RECEIVER to check whether
an incoming packet was forged (with the TTL=255 trick) rather than
depend on the quality of the initial sequence number generation
algorithm.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf