lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 12 Feb 2014 04:25:39 -0600
From:	Quinn Wood <wood.quinn.s@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: Experimental Privacy Functions and TCP SYN Payloads

If program on host A spoofs the source address of an outgoing IPv4 packet then
places that address in the first 32 bits of a UDP payload, a program on host B
that is aware of these behaviors can still reply to the program on host A. [1]

Continuing with this approach the program on host A could encrypt the UDP pay-
load in a way that the program on host B can decrypt, and effectively reduce
the ability of others in the wide network to passively determine who host A is
sending transmissions to while simultaneously ensuring the program on host B
can respond to the program on host A. [2]

I'm uncertain how to proceed if I want to use TCP for stateful connections.
The requirement of a handshake before data is handed off to the program means
this approach won't work out of the box. I'm looking for any insight folks may
have regarding this.

My original approach to the handshake included setting one of the reserved
bits in the TCP header to indicate the first 32 bits of the payload were the
real source address. However this would be reliant on SYN packets containing
a payload. Does the Linux kernel allow this?

-

[1] Barring any non store-and-forward network behavior like dropping packets
    with questionable source addresses. Considering recent NTP-related  news
    this seems to be a not-entirely common activity :)
[2] This is of course reliant on both programs knowing the proper key for the
    other.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ