Rtos API example
lwip_tcp_isn.c File Reference
Reference implementation of the TCP ISN algorithm standardized in RFC 6528. More...
Go to the source code of this file.
Functions | |
void | lwip_init_tcp_isn (u32_t boot_time, const u8_t *secret_16_bytes) |
Initialize the TCP ISN module, with the boot time and a secret. | |
u32_t | lwip_hook_tcp_isn (const void *local_ip_ptr, u16_t local_port, const void *remote_ip_ptr, u16_t remote_port) |
Hook to generate an Initial Sequence Number (ISN) for a new TCP connection. |
Detailed Description
Reference implementation of the TCP ISN algorithm standardized in RFC 6528.
Produce TCP Initial Sequence Numbers by combining an MD5-generated hash based on the new TCP connection's identity and a stable secret, with the current time at 4-microsecond granularity.
Specifically, the implementation uses MD5 to compute a hash of the input buffer, which contains both the four-tuple of the new TCP connection (local and remote IP address and port), as well as a 16-byte secret to make the results unpredictable to external parties. The secret must be given at initialization time and should ideally remain the same across system reboots. To be sure: the spoofing-resistance of the resulting ISN depends mainly on the strength of the supplied secret!
The implementation takes 32 bits from the computed hash, and adds to it the current time, in 4-microsecond units. The current time is computed from a boot time given at initialization, and the current uptime as provided by sys_now(). Thus, it assumes that sys_now() returns a time value that is relative to the boot time, i.e., that it starts at 0 at system boot, and only ever increases monotonically.
For efficiency reasons, a single MD5 input buffer is used, and partially filled in at initialization time. Specifically, of this 64-byte buffer, the first 36 bytes are used for the four-way TCP tuple data, followed by the 16-byte secret, followed by 12-byte zero padding. The 64-byte size of the buffer should achieve the best performance for the actual MD5 computation.
Basic usage:
1. in your lwipopts.h, add the following lines:
include <lwip/arch.h> struct ip_addr; u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port, const struct ip_addr *remote_ip, u16_t remote_port); "#define LWIP_HOOK_TCP_ISN lwip_hook_tcp_isn";
2. from your own code, call lwip_init_tcp_isn() at initialization time, with appropriate parameters.
Definition in file lwip_tcp_isn.c.
Function Documentation
u32_t lwip_hook_tcp_isn | ( | const void * | local_ip_ptr, |
u16_t | local_port, | ||
const void * | remote_ip_ptr, | ||
u16_t | remote_port | ||
) |
Hook to generate an Initial Sequence Number (ISN) for a new TCP connection.
- Parameters:
-
local_ip The local IP address. local_port The local port number, in host-byte order. remote_ip The remote IP address. remote_port The remote port number, in host-byte order.
- Returns:
- The ISN to use for the new TCP connection.
Definition at line 127 of file lwip_tcp_isn.c.
void lwip_init_tcp_isn | ( | u32_t | boot_time, |
const u8_t * | secret_16_bytes | ||
) |
Initialize the TCP ISN module, with the boot time and a secret.
- Parameters:
-
boot_time Wall clock boot time of the system, in seconds. secret_16_bytes A 16-byte secret used to randomize the TCP ISNs.
Definition at line 105 of file lwip_tcp_isn.c.
Generated on Sun Jul 17 2022 08:25:35 by 1.7.2