pello's network security

Text Post

tcp timestamps

TCP timestamps notes:

  • rfc1323
  • Timestamps: TSval 4125101209, TSecr 0 (SYN)
  • Timestamps: TSval 15477599, TSecr 4125101209 (SYN/ACK)
  • No timestamps with RST pkts (Linux 2.6.31 stack)
  • No timestamps with SYN&SYN/ACK (windows … need to be tested with win7)
  • Bad: rttm only when the tcp window is low. Not realistic. Lead to introducing “aliasing” artifacts into the estimated RTT. Must be used with all segments
  • Part of TCP options
  • Linux stack 2.6.31 appears to not start timestamp counter as the PC booted up (3 hours delay during my testing)
  • TCP timestamp can lead to slow network applications issues
  • About the TCP timestamp generation (not covered by RFC1312) : http://tools.ietf.org/html/draft-gont-tcpm-tcp-timestamps-03
  • disect (tcp timestamp covert channel) http://www.mit.edu/~gif/covert-channel/src/
  • Arbitrary TCP ISN timestamps http://lkml.org/lkml/2008/2/15/244
  • TCP timestamp can lead to false result under linux when syn cookies enabled
  • If more than 1 tsval is rcvd before echoed back:
    • delayed ack (btw must be less than 0.5s): answer by the first tsval received
    • ACK out of order segment (congestion): answer by the last pkt received

to be completed

Posted on Sunday, March 7, 2010. Tagged with: TCP
Comments
blog comments powered by Disqus
pello's network security Francois Ropert lives near Paris (France) and likes to deep dive in network (in)security View Francois Ropert's profile on LinkedIn
Previous Next