Christopher Klaus says: > > Christopher Klaus says: > > > Probably the best way to prevent IP spoofing attacks is to turn off all > > > ip-based authenication services, ie rsh, rlogin are the main ones. > > > > Insufficient. If you can see at least part of the packet stream, you > > can session-steal. This makes a mockery of things like S/Key. > > If you have an attacker that is listening to your packet stream, you > have more serious problem than just IP spoofing attacks. Well, I'm afraid that judicious use of the protocols can under some circumstances be enough knock just a couple of packets your way if you are pretty sure a link exists, and thats all you need to steal the connection. Given the way that the internet works, this is a problem for anyone traversing a firewall with a system like SNK, S/Key, Secure ID, or whatever, because their session could be hijacked after the fact. > The only long-term solution that would adequately fix many of these > problems is cryptography being implemented in authenication and encrypting > all network traffic. That is indeed the case. As I've noted, see draft-metzger-* in the nearest internet drafts directory for details on how to do that. I should be releasing an implementation for 4.4BSD kernels under a Berkeley style copyright. Perry