Date: Mon, 23 Jan 1995 15:37:36 -0500 From: "Perry E. Metzger" <perry@imsi.com> Christopher Klaus says: > To fully fix the problem will require all the vendors to come out with > kernel patches to make the TCP sequence numbering difficult to > guess, Even that is insufficient, actually. If you see a packet going by, you can still try to jam the works up and steal the connection anyway. The only permanent solution is a cryptographic security protocol for the net -- one is actually in the works now in the IETF. Morris' paper concludes with this sentence: A workable solution might be to only trust hosts on the same physical network, and modify gateways to reject packets that claim to, but do not in fact, come from directly connected networks. Your statement as to the ``only permanent solution'' suggests that you disagree with Morris' hypothesis. Do you believe that it's possible to use the techniques that are being discussed to get past a ``two wire'' firewall which ignores internal packets originating from the external wire? Rick