Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!TIS.COM!balenson
From: balenson@TIS.COM (David M. Balenson)
Newsgroups: comp.protocols.tcp-ip
Subject: Sequence numbers provide security?? (Bellovin's article)
Message-ID: <8905081540.AA07029@TIS.COM>
Date: 8 May 89 15:40:53 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 24


I have read with interest Bellovin's article on "Security problems in the TCP/IP
protocol suite".  However, my interest diminished while reading the first
section on "TCP sequence number prediction".  I don't see the relevance of
this attack to authentication.  My understanding of TCP sequence numbers is that
they are used during connection establishment to guarantee (1) that both the
client and server are ready to transfer data and (2) that they agree on initial
sequence numbers.  Since when are initial sequence numbers supposed to
be used for authenticating the identity of either the client (or server),
anc hence prevent an intruder from impersonating a trusted host?
The entire point of the discussion (and I presume Morris' original article,
which I am trying to track down a copy of) is moot unless one assumes
the ISNs are used for authentication.  Furthurmore, even if I could not
guess the servers ISN, couldn't I still spoof a trusted host by simply
(e.g, on a Sun workstation) configuring my machine to look like (i.e.,
same name, perhaps same IP address) the trusted host?  The key to preventing
(or detecting) spoof attacks is the proper authentication of unique identities,
yet this is not discussed (or mentioned).  So, either I am missing something or
the article is missing something (e.g., a simple statement of assumptions,
up front).  I'd appreciate any clarification anyone can offer.  Thanks.

-David M. Balenson
 Trusted Information Systems, Inc.
 (301) 854-5358