Fernando Gont

Fernando Gont

Argentina
7 mil seguidores Más de 500 contactos

Acerca de

Fernando Gont is currently Staff Platform Security Engineer at Yalo, and has over twenty…

Actividad

Unirse para ver toda la actividad

Experiencia de voluntariado

  • Chair

    LACNIC Security Forum (LACSEC)

    - 7 años 6 meses

    Moderator of the LACNIC Security Forum, and Chair of the LACSEC event

Publicaciones

  • RFC 6528: Defending against Sequence Number Attacks

    IETF

    This document specifies an algorithm for the generation of TCP Initial Sequence Numbers (ISNs), such that the chances of an off-path attacker guessing the sequence numbers in use by a target connection are reduced. This document revises (and formally obsoletes) RFC 1948, and takes the ISN generation algorithm originally proposed in that document to Standards Track, formally updating RFC 793.

    Otros autores
    • Steven Bellovin
    Ver publicación
  • RFC 6274: Security Assessment of the Internet Protocol Version 4

    IETF

    This document contains a security assessment of the IETF specifications of the Internet Protocol version 4 and of a number of mechanisms and policies in use by popular IPv4 implementations. It is based on the results of a project carried out by the UK's Centre for the Protection of National Infrastructure (CPNI).

    Ver publicación
  • RFC 6191: Reducing the TIME-WAIT State Using TCP Timestamps

    IETF

    This document describes an algorithm for processing incoming SYN segments that allows higher connection-establishment rates between any two TCP endpoints when a TCP Timestamps option is present in the incoming SYN segment. This document only modifies processing of SYN segments received for connections in the TIME-WAIT state; processing in all other states is unchanged.

    Ver publicación
  • RFC 6056: Recommendations for Transport-Protocol Port Randomization

    IETF

    During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be…

    During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers).

    Ver publicación
  • RFC 6093: On the Implementation of the TCP Urgent Mechanism

    IETF

    This document analyzes how current TCP implementations process TCP urgent indications and how the behavior of some widely deployed middleboxes affects how end systems process urgent indications. This document updates the relevant specifications such that they accommodate current practice in processing TCP urgent indications, raises awareness about the reliability of TCP urgent indications in the Internet, and recommends against the use of urgent indications (but provides advice to applications…

    This document analyzes how current TCP implementations process TCP urgent indications and how the behavior of some widely deployed middleboxes affects how end systems process urgent indications. This document updates the relevant specifications such that they accommodate current practice in processing TCP urgent indications, raises awareness about the reliability of TCP urgent indications in the Internet, and recommends against the use of urgent indications (but provides advice to applications that do).

    Otros autores
    Ver publicación
  • RFC 5927: ICMP Attacks against TCP

    IETF

    This document discusses the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP). Additionally, this document describes a number of widely implemented modifications to TCP's handling of ICMP error messages that help to mitigate these issues.

    Ver publicación
  • RFC 5482: TCP User Timeout Option

    IETF

    The TCP user timeout controls how long transmitted data may remain unacknowledged before a connection is forcefully closed. It is a local, per-connection parameter. This document specifies a new TCP option -- the TCP User Timeout Option -- that allows one end of a TCP connection to advertise its current user timeout value. This information provides advice to the other end of the TCP connection to adapt its user timeout accordingly. Increasing the user timeouts on both ends of a TCP…

    The TCP user timeout controls how long transmitted data may remain unacknowledged before a connection is forcefully closed. It is a local, per-connection parameter. This document specifies a new TCP option -- the TCP User Timeout Option -- that allows one end of a TCP connection to advertise its current user timeout value. This information provides advice to the other end of the TCP connection to adapt its user timeout accordingly. Increasing the user timeouts on both ends of a TCP connection allows it to survive extended periods without end-to-end connectivity. Decreasing the user timeouts allows busy servers to explicitly notify their clients that they will maintain the connection state only for a short time without connectivity.

    Otros autores
    Ver publicación
  • RFC 5461: TCP's Reaction to Soft Errors

    IETF

    This document describes a non-standard, but widely implemented, modification to TCP's handling of ICMP soft error messages that rejects pending connection-requests when those error messages are received. This behavior reduces the likelihood of long delays between connection-establishment attempts that may arise in a number of scenarios, including one in which dual-stack nodes that have IPv6 enabled by default are deployed in IPv4 or mixed IPv4 and IPv6 environments.

    Ver publicación
  • Security Assessment of the Transmission Control Protocol (TCP)

    United Kingdom's Centre for the Protection of National Infrastructure (CPNI)

    This document is the result of a security assessment of the IETF specifications of the Transmission Control Protocol (TCP), from a security point of view. Possible threats are identified and, where possible, countermeasures are proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems.

    Ver publicación
  • Security Assessment of the Internet Protocol

    United Kingdom's Centre for the Protection of National Infrastructure (CPNI)

    This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to
    performing a security assessment of the relevant IETF…

    This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to
    performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies.

    Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations
    community.

    Ver publicación
Únete para ver todas las publicaciones

Proyectos

  • SI6 Networks' IoT Toolkit

    The SI6 Networks' Internet of Things (IoT) Toolkit is a security assessment and troubleshooting tool for IoT devices and protocols.

    Ver proyecto
  • IPv6 Toolkit Debian package

    Collaboration with Octavio Alvarez (maintainer of the SI6 Networks' IPv6 toolkit Debian package)

    Otros creadores
    Ver proyecto
  • SI6 Networks' IPv6 Address Monitoring Daemon

    ipv6mon is a tool meant for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time. ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active.

    Ver proyecto
  • SI6 Networks' IPv6 Toolkit

    The IPv6 toolkit is a portable IPv6 security assessment suite originally produced by Fernando Gont as part of a project funded by the UK CPNI.

    Ver proyecto

Idiomas

  • Spanish

    Competencia bilingüe o nativa

  • English

    Competencia bilingüe o nativa

  • Portuguese

    Competencia básica

Empresas

  • IEEE

    -

Recomendaciones recibidas

2 personas han recomendado a Fernando

Unirse para verlo

Más actividad de Fernando

Ver el perfil completo de Fernando

  • Descubrir a quién conocéis en común
  • Conseguir una presentación
  • Contactar con Fernando directamente
Unirse para ver el perfil completo

Perfiles similares

Añade nuevas aptitudes con estos cursos