Re: Questions about Version Negotiation Concerning Possible Handshake Interruption

[Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>]

A realistic on-path attack involves a government body that taps optic fiber
at an internet distribution node. The original intention behind the
construct may be to trigger an alarm whenever the string “dirty bomb”
appears in a protocol RFC 821 message (such as this one), and subsequently
for logging purposes to monitor traffic directed towards bulk fertiliser
suppliers. It is not possible to drop packets both due to the mechanical
construct, due to legislation, and because it might be too obvious.
However, having a datacenter with optic fibre near said access point gives
excellent insights into early handshakes including IP, port, connection ID,
and possible even a profile of the PRNG being used at some endpoint.

This makes it very simple to spoof and inject packets into handshake with a
good chance of winning any race. More difficult, but possible, it could
also observe packets and inject packets closer to the endpoint, for example
using long distance point to point radio communication to race the ordinary
packet stream.

Any argument about friendly gov is void because the internet travels across
multiple regions that each with near certainty have taps as those described
above making it a prime target in cyber warfare.

The question is then to what extend such a position can be utilised to
interfere with the handshake and what the outcome of such interference
would be, rather than a discussion of how plausible such an attack is,
because it is probably a 99% given if feasible.