[tcpm] Protocol Action: 'Improving TCP's Robustness to Blind In-Window Attacks' to Proposed Standard

[The IESG <iesg-secretary@ietf.org>]

The IESG has approved the following document:

- 'Improving TCP's Robustness to Blind In-Window Attacks '
   <draft-ietf-tcpm-tcpsecure-13.txt> as a Proposed Standard


This document is the product of the TCP Maintenance and Minor Extensions Working Group. 

The IESG contact person is Lars Eggert.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-13.txt

Technical Summary:

  This document examines the fact that long term TCP connections that
  have well known source and destination addresses are vulnerable to
  attack by the injection of bogus RST, SYN or data packets by guessing
  sequence numbers that fall into the current window of the connection.
  It provides three mitigation strategies that can be used to reduce the
  chance that an attacker can be successful with these spoofed segments.

Working Group Summary

  The working group saw that there was a fair amount of experience
  with these mitigation strategies; two of them are very simple, and
  one is a bit more involved.  The WG felt that this document is a
  SHOULD for devices that are susceptible to these types of attacks,
  and a MAY for other implementations.  These changes are not needed
  for correct TCP operation, but reduce the chance that a spoofed
  packet will be accepted as valid.

Document Quality

  The document was reviewed for quality by a fair number of TCPM
  WG members.  There already exist several implementations of these
  strategies, and there are not any known interoperability issues
  with TCP implementations that do not have these changes.

Personnel

  David Borman (david.borman@windriver.com) is the document shepherd.
  Lars Eggert (lars.eggert@nokia.com) reviewed the document for the IESG.