- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I want to randomize the initial value of TCP Sequence number.
[Background]
Currently, the TCP initial sequence number (ISN) always starts from "0" when starting TCP connection immediately after reseting the wifi-module .
In order to connect to the Server that supports "Defending Against Sequence Number Attacks",
I want to randomize the initial value of TCP Sequence number.
Software environment:
- WICED 6.2.1
- LwIP
Hardware environment:
- murata type-1LD wifi-module
[Question]
Which part of the source code should I change ?
-----------------------------
I checked the following, but regarding the TCP sequence number,
it doesn't seem to be processed in particular.
/43xxx_Wi-Fi/WICED/network/LwIP/WICED/tcpip.c
Best Regards,
Sakagami
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sakagami san,
LwIP contrib git already provides a similar example. You can try to port that in WICED SDK and reuse it.
If you migrate to addons\tcp_isn\, you will be able to find an implementation which uses MD5 to compute a hash of the input buffer, which contains both the four-tuple of the new TCP connection (local and remote IP address and port), as well as a 16-byte secret to make the results unpredictable to external parties.
Documentation: https://www.nongnu.org/lwip/2_0_x/group__lwip__opts__hooks.html#ga078d203053911cf3af178392700386a4
contrib git can be found from lwip website:lwip/lwip-contrib.git - lwIP Contrib - Contributed code for Lightweight TCP/IP stack
The tcp_isn.c contains further instructions to add the necessary changes in LwIP stack. Since, we have not tested this, you would need to take care of the WICED side of integration part. Let us know if you run into any issue. Meanwhile, I would also try to find some alternate way to do this.
Regards,
Raktim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you referring to RFC 6528?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear RaktimR san,
Thank you for reply.
I am testing a TCP connection with a server.
The connection is unstable. I think that one of the causes is Server behavior with RFC 6528 protection.
First of all, I hope to implement initial value ( It is 3-way handshake SYN paket Sequence number) randomization
and check the effect.
Could you tell me that which part of the source code should be changed ?
Best Regards,
Sakagami
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sakagami san,
LwIP contrib git already provides a similar example. You can try to port that in WICED SDK and reuse it.
If you migrate to addons\tcp_isn\, you will be able to find an implementation which uses MD5 to compute a hash of the input buffer, which contains both the four-tuple of the new TCP connection (local and remote IP address and port), as well as a 16-byte secret to make the results unpredictable to external parties.
Documentation: https://www.nongnu.org/lwip/2_0_x/group__lwip__opts__hooks.html#ga078d203053911cf3af178392700386a4
contrib git can be found from lwip website:lwip/lwip-contrib.git - lwIP Contrib - Contributed code for Lightweight TCP/IP stack
The tcp_isn.c contains further instructions to add the necessary changes in LwIP stack. Since, we have not tested this, you would need to take care of the WICED side of integration part. Let us know if you run into any issue. Meanwhile, I would also try to find some alternate way to do this.
Regards,
Raktim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Raktim san,
Thank you for your information and advice.
We will try them.
Best Regards,
Sakagami
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Sakagami san,
I will try to elaborate more on this, so that you can try the changes easily on your setup.
- Migrate to 43xxx_Wi-Fi/WICED/network/LwIP/WWD/FreeRTOS/arch/cc.h. Add the following code chunk
#ifdef TCP_ISN
struct ip_addr;
u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port, const struct ip_addr *remote_ip, u16_t remote_port);
#endif
Also, in the same file you would need to uncomment u16_t, u32_t typedefs since we are using them now.
2. Go to 43xxx_Wi-Fi/WICED/network/LwIP/WWD/FreeRTOS/lwipopts.h. Add the following code chunk.
#define TCP_ISN
#ifdef TCP_ISN
#define LWIP_HOOK_TCP_ISN lwip_hook_tcp_isn
#endif
3. Copy the tcp_isn.c, tcp_isn.h file from the contrib directory to 43xxx_Wi-Fi/WICED/network/LwIP/ver2.0.3/src/core and compile them by adding
ver$(VERSION)/src/core/tcp_isn.c
in the last line of 43xxx_Wi-Fi/WICED/network/LwIP/LwIP.mk
4. Modify the tcp_isn code to use the mbedTLS md5 library. Attached is an example which needs to be replaced in 43xxx_Wi-Fi/WICED/network/LwIP/ver2.0.3/src/core
I am not sure if I missed anything but this should help your effort a little. If you run into some compilation error, you might need to tweak a thing or two on our own. Kindly check this with your server and let me know if it works.
Regards,
Raktim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Raktim san,
Thank you for your supports.
I could randomize the initial value of TCP Sequence number.
We will check the stability of the connection with the server.
Best Regards,
Sakagami