Marco Zecchini / Mbed OS Example_RTOS

Rtos API example

Embed: (wiki syntax)

« Back to documentation index

lwip_tcp_isn.c File Reference
Functions

lwip_tcp_isn.c File Reference

Reference implementation of the TCP ISN algorithm standardized in RFC 6528. More...

Go to the source code of this file.

Functions

void lwip_init_tcp_isn (u32_t boot_time, const u8_t *secret_16_bytes)
 Initialize the TCP ISN module, with the boot time and a secret.
u32_t lwip_hook_tcp_isn (const void *local_ip_ptr, u16_t local_port, const void *remote_ip_ptr, u16_t remote_port)
 Hook to generate an Initial Sequence Number (ISN) for a new TCP connection.

Detailed Description

Reference implementation of the TCP ISN algorithm standardized in RFC 6528.

Produce TCP Initial Sequence Numbers by combining an MD5-generated hash based on the new TCP connection's identity and a stable secret, with the current time at 4-microsecond granularity.

Specifically, the implementation uses MD5 to compute a hash of the input buffer, which contains both the four-tuple of the new TCP connection (local and remote IP address and port), as well as a 16-byte secret to make the results unpredictable to external parties. The secret must be given at initialization time and should ideally remain the same across system reboots. To be sure: the spoofing-resistance of the resulting ISN depends mainly on the strength of the supplied secret!

The implementation takes 32 bits from the computed hash, and adds to it the current time, in 4-microsecond units. The current time is computed from a boot time given at initialization, and the current uptime as provided by sys_now(). Thus, it assumes that sys_now() returns a time value that is relative to the boot time, i.e., that it starts at 0 at system boot, and only ever increases monotonically.

For efficiency reasons, a single MD5 input buffer is used, and partially filled in at initialization time. Specifically, of this 64-byte buffer, the first 36 bytes are used for the four-way TCP tuple data, followed by the 16-byte secret, followed by 12-byte zero padding. The 64-byte size of the buffer should achieve the best performance for the actual MD5 computation.

Basic usage:

1. in your lwipopts.h, add the following lines:

include <lwip/arch.h> struct ip_addr; u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port, const struct ip_addr *remote_ip, u16_t remote_port); "#define LWIP_HOOK_TCP_ISN lwip_hook_tcp_isn";

2. from your own code, call lwip_init_tcp_isn() at initialization time, with appropriate parameters.

Definition in file lwip_tcp_isn.c.

Function Documentation

u32_t lwip_hook_tcp_isn ( const void *  local_ip_ptr,
u16_t  local_port,
const void *  remote_ip_ptr,
u16_t  remote_port 
)

Hook to generate an Initial Sequence Number (ISN) for a new TCP connection.

Parameters:
local_ipThe local IP address.
local_portThe local port number, in host-byte order.
remote_ipThe remote IP address.
remote_portThe remote port number, in host-byte order.
Returns:
The ISN to use for the new TCP connection.

Definition at line 127 of file lwip_tcp_isn.c.

void lwip_init_tcp_isn ( u32_t  boot_time,
const u8_t *  secret_16_bytes 
)

Initialize the TCP ISN module, with the boot time and a secret.

Parameters:
boot_timeWall clock boot time of the system, in seconds.
secret_16_bytesA 16-byte secret used to randomize the TCP ISNs.

Definition at line 105 of file lwip_tcp_isn.c.

Generated on Sun Jul 17 2022 08:25:35 by  doxygen 1.7.2