Improving TCP/IP Security Through Randomization Without Sacrificing Interoperability
Michael J. Silbersack
Over the past few years, FreeBSD has learned to be cautious when making TCP/IP changes suggested in a security advisory; nearly every implementation of a recommended fix has led to users reporting unexpected compatibility problems. In all of these cases, a better look at the problem led to the creation of a more compatible and secure solution. This paper aims to describe the changes that FreeBSD has made to improve network security, showing how compatibility need not be thrown aside in the face of security if proper care is taken.
This paper discusses in detail the strengths and weaknesses of the existing algorithms used by FreeBSD for TCP Initial Sequence Number generation, TCP Timestamp generation, IP ID generation, and ephemeral port randomization. An improved variant of the RFC 1948 algorithm for Initial Sequence Number generation is proposed, as is the use of a RFC 1948 variant for TCP Timestamps. Reasons for using the proposed algorithm rather than zeroed or randomized Timestamps is explained, and an argument is made for using completely random IP ID values, rather than generating values from a LCG. Finally, a solution for the problems experienced with randomized ephemeral ports by some FreeBSD users is discussed.
About the Author
Mike Silbersack is a 26 year old graduate student at the University of Wisconsin - Milwaukee, working on his M.S. in Computer Science. He earned his B.S. in Computer Science from the University of Wisconsin - Madison, a place where he spent far too much time being excited about computer science, and not nearly enough time studying it.
In addition to putting off work on his thesis, Mike can also be found teaching Linux, Visual Basic, and security courses at a local technical college, helping out with the Video Club at his former high school, causing trouble with various parts of the FreeBSD kernel, or just playing video games. Mike's goal in life is to spend less time on that last item and more time on the previous ones.
Copyright © 2005 by EuroBSDCon 2005. All rights reserved.