From owner-freebsd-net Wed Jul 25 17:39:13 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id E6EC737B406 for ; Wed, 25 Jul 2001 17:39:04 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 66726 invoked by uid 1001); 26 Jul 2001 00:38:59 -0000 Date: Wed, 25 Jul 2001 17:38:59 -0700 From: Sean Chittenden To: Mike Silbersack Cc: Barney Wolff , arch@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: TCP sequence numbers: RFC1948 patch ready for testing Message-ID: <20010725173859.C65546@rand.tgd.net> References: <20010725032805.A21133@tp.databus.com> <20010725185434.V35719-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OBd5C1Lgu00Gd/Tn" Content-Disposition: inline In-Reply-To: <20010725185434.V35719-100000@achilles.silby.com>; from "silby@silby.com" on Wed, Jul 25, 2001 at = 07:04:54PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OBd5C1Lgu00Gd/Tn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > 2. By rekeying you risk violating the monotonicity of the isn across > > the rekeying, which is the whole point of not just doing random isn. >=20 > I'll go ahead and remove the isn_offset addition. I'm not really willing > to remove the rekeying, though; we can't say that a faster method of brute > force attack will not arise. Would a longer rekeying interval such as a > day or two suffice? I'm not concerned about rekeying breaking a few > connections given that it will only happen occasionally. While I agree that rekeying isn't something that should be removed, I am concerned with your last sentence. Breaking TCP sessions strikes me as an indicator that there needs to be some way of configuring this. Is there any chance you could make this a tunable variable through sysctl such as the number of seconds between rekeying? Along similar lines, given that rekeying can be done lazily, would it be possible to rekey through the use of an external program that would be called by cron? If TCP sessions are going to be dropped, I want to be able to control, know, and plan when without giving up the added TCP security that this patch provides. -sc --=20 Sean Chittenden --OBd5C1Lgu00Gd/Tn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtfZqIACgkQn09c7x7d+q3n1wCgq2pbyWeB1qwFW+R57u+nBK8S /gwAmwbrOVaXy3pXyIZcSr9OJ0WTOSnG =o2yj -----END PGP SIGNATURE----- --OBd5C1Lgu00Gd/Tn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message