Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Nov 1999 13:35:19 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Dan Moschuk <dan@FreeBSD.ORG>
Cc:        cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h
Message-ID:  <199911292135.NAA09413@apollo.backplane.com>
References:  <199911281751.JAA40710@freefall.freebsd.org> <199911292104.NAA09106@apollo.backplane.com> <19991129161327.E2999@spirit.jaded.net> <19991129162129.F2999@spirit.jaded.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

:| 
:| I will include that in my next patch (which will randomize source ports).
:
:Actually, is there really benefit in doing so?  
:
:It was suggested that we don't give users the option of randomizing or not,
:and to just "do it."
:
:-- 
:Dan Moschuk (TFreak!dan@freebsd.org)

    Randomizing is a relatively 'weak' security fix, especially in light of
    the severe restrictions on both pid and port number ranges.  Even with
    a good random number generator.  I don't particularly see why it should
    be imposed on everyone.  And, frankly, I *use* the fact that pid's tend
    to increment when I look at 'ps' and 'jobs -l' output just as a 
    double check, and I'm sure other people do to.

    Randomizing things like the TCP initial sequence number is more beneficial
    due to the larger sequence space, but still somewhat limited by 
    restrictions in the TCP protocol related to connection timeouts and
    the requirement that the initial sequence number be monotonically 
    increasing within the timeout period for new connections using 
    the same tuple (srcip,srcport,dstip,dstport).

    Probably the best overall solution is to use incrementing port numbers,
    guarentee a minimum time delay on port reuse, and then fully randomize
    the initial sequence number for the TCP connection.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911292135.NAA09413>