Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02

Fernando Gont <> Thu, 27 March 2008 17:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 859783A6FF9; Thu, 27 Mar 2008 10:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -98.48
X-Spam-Status: No, score=-98.48 tagged_above=-999 required=5 tests=[AWL=-0.540, BAYES_00=-2.599, DATE_IN_PAST_96_XX=1.69, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, SARE_RECV_SPEEDY_AR=0.808, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cc-lR0ydXrdJ; Thu, 27 Mar 2008 10:14:48 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 700EA3A6B76; Thu, 27 Mar 2008 10:14:48 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F17F3A6FF9 for <>; Thu, 27 Mar 2008 10:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9dmjhV42Nq8N for <>; Thu, 27 Mar 2008 10:14:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CAC953A6C5E for <>; Thu, 27 Mar 2008 10:14:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 51A0A5A8BAF; Thu, 27 Mar 2008 14:08:23 -0300 (ART)
Received: from ( [] (may be forged)) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id m2RH88ic024800; Thu, 27 Mar 2008 14:08:09 -0300
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Wed, 27 Feb 2008 13:58:23 -0300
To: Stefanos Harhalakis <>,
From: Fernando Gont <>
In-Reply-To: <>
References: <>
Mime-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 ( []); Thu, 27 Mar 2008 14:08:17 -0300 (ART)
Subject: Re: [tcpm] PoC for draft-moncaster-tcpm-rcv-cheat-02
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

At 07:29 p.m. 25/03/2008, Stefanos Harhalakis wrote:

>I'm considering wether I should make this (small) tool public or not.
>On the plus side: It can be used as a proof of concept and for easily testing
>future implementations of this draft (if it becomes an RFC)
>On the minus side: Since it is very easy to use (no kernel patches etc), it
>can be easily abused by people that are not currently able to re-implement
>So, I kindly ask for your advice:
>Based on your experience, would it be of any use if I made this public?

This issue was disclosed by US-CERT. That is, vendors were contacted, 
and had the chance to do something about it.

It has a CVE name: , and 
there's a US-CERT report about it:

According to US-CERT's report, there has not been much of a response 
from vendors.

I suggest you contact CERT and let them know that your planning to 
disclose your PoC. Set your own deadline as to until when you'd be 
willing to get a response on a way forward (i.e., are vendors going 
to be as unresponsive as they have been so far?)

Additionally, contact developers at FreeBSD, NetBSD, OpenBSD and 
Linux. I can provide a few names at each, if you want. But they 
usually have some form of security@ contact. I know quite a few 
people at these projects that do care about security issues, and 
would be willing to implement counter-measures if they make sense.

If the process with CERT doesn't go as expected, (and provided you 
have already talked with the open source projects and given them some 
time to do something about it), post your code to bugtraq and CC 
full-disclosure. Also include a pointer to Savage's paper and to 
Sherwood's paper, too. And also include a pointer to Moncaster's draft.

I could also put you in contact with the right people at UK CPNI 
( In my own experience, they have proved to 
be more responsive, and much nicer to work with.

Kind regards,

Fernando Gont
e-mail: ||
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

tcpm mailing list