One more thing: On 31-aug-2005, at 0:55, Ned Freed wrote:
Section 2.4 discusses use of TCP for LLMNR queries and responses. In composing an LLMNR query using TCP, the sender MUST set the Hop Limit field in the IPv6 header and the TTL field in the IPv4 header of the response to one (1). The responder SHOULD set the TTL or Hop Limit settings on the TCP listen socket to one (1) so that SYN-ACK packetswill have TTL (IPv4) or Hop Limit (IPv6) set to one (1). Thisprevents an incoming connection from off-link since the sender willnot receive a SYN-ACK from the responder.
I've heard reports in the past that attackers were able to spoof their end of a TCP session without being able to see return traffic. Obviously this is very hard to do if the TCP implementation uses enough randomness in its initial sequence numbers, but nonetheless it seems prudent to make it possible for the RECEIVER to check whether an incoming packet was forged (with the TTL=255 trick) rather than depend on the quality of the initial sequence number generation algorithm.
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf