[j-nsp] Odd TCP Timestamp
hannes at juniper.net
Fri May 5 12:55:23 EDT 2006
this is a known issue - have a look at PR64682.
RFC1323 describes two techniques for increasing the performance of TCP are using TCP timestamps to estimate round-trip transmission times and for
Protection Against Wrapped Sequence Numbers (PAWS). When these features are enabled, certain TCP implementations may be vulnerable to denial of
service (DoS) attacks from packets with specially-crafted timestamp values. This vulnerability is described in PSN-2005-06-003.
The code changes made to address this vulnerability fix may generate incorrect timestamp values in ACK packets. This can make it appear as though the
virtual clock for a TCP session has moved backward and ultimately breaks TCP's Round Trip Time (RTT) Estimation. This in turn may lead to the TCP
session stalling. All TCP-based protocols and services (including the BGP and LDP routing protocols) running on an M-series, T-series, or J-series
router with JUNOS software built prior to November 10, 2005, are subject to this vulnerability.
This issue is tracked internally as PR/64682 for JUNOS software.
Solution All JUNOS software Releases 6.4 and later built on or after November 10, 2005 contain modified code that ensures timestamp values always
increase. In addition, two new hidden configuration statements have been introduced to control the use of RFC1323 mechanisms.
For earlier JUNOS releases, turning off the RFC1323 and PAWS extensions ensures that a peer does not include TCP timestamps in its Acknowlegment
packets. Therefore the virtual TCP clock will not run backward and TCP sessions will not stall. In Release 6.4 these statements are located at the
[edit system] hierarchy level; in Releases 7.0 and later, they are located at the [edit system internet-options] hierarchy level.
* The no-tcp-rfc1323-paws statement disables RFC1323 PAWS TCP extensions. By default, the PAWS extension is enabled.
* The no-tcp-rfc1323 statement disables RFC1323 TCP extensions. By default, RFC1323 is enabled. If this option is configured, the no-tcp-rfc1323-paws
option must also be configured.
These configuration options are hidden and will not automatically complete; they must be entered in their entirety when adding them to the router's
Solution Implementation All JUNOS software Releases 6.4 and later built on or after November 10, 2005 include the modified code. Juniper Networks
strongly recommends that customers install a version of JUNOS software that includes the changes to the TCP protocol. Customers who are unable to
upgrade are encouraged to use the suggested workaround of disabling RFC1323 extensions.
Please note that turning off RFC1323 extensions may affect the performance of the Border Gateway Protocol (BGP). BGP may take as much as two to five
times longer to exchange routing tables with neighboring routers.
Abhishek Verma wrote:
> It seems that the TCP timestamp is on by default in Juniper boxes. I see something strange happening there.
> It seems Juniper keeps the Time Stamp Echo Reply value that it receives in the first SYN packet, and does not update upon receiving newer and
> fresher packets from a remote end. It thus always ends up sending the same Timestamp value in all its TCP segments.
> Is this a known issue?
> Thanks, Abhishek _______________________________________________
More information about the juniper-nsp