Date: Wed, 25 Jul 2001 17:38:59 -0700 From: Sean Chittenden <sean-freebsd-arch@chittenden.org> To: Mike Silbersack <silby@silby.com> Cc: Barney Wolff <barney@databus.com>, arch@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: TCP sequence numbers: RFC1948 patch ready for testing Message-ID: <20010725173859.C65546@rand.tgd.net> In-Reply-To: <20010725185434.V35719-100000@achilles.silby.com>; from "silby@silby.com" on Wed, Jul 25, 2001 at = 07:04:54PM References: <20010725032805.A21133@tp.databus.com> <20010725185434.V35719-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--OBd5C1Lgu00Gd/Tn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > 2. By rekeying you risk violating the monotonicity of the isn across > > the rekeying, which is the whole point of not just doing random isn. >=20 > I'll go ahead and remove the isn_offset addition. I'm not really willing > to remove the rekeying, though; we can't say that a faster method of brute > force attack will not arise. Would a longer rekeying interval such as a > day or two suffice? I'm not concerned about rekeying breaking a few > connections given that it will only happen occasionally. While I agree that rekeying isn't something that should be removed, I am concerned with your last sentence. Breaking TCP sessions strikes me as an indicator that there needs to be some way of configuring this. Is there any chance you could make this a tunable variable through sysctl such as the number of seconds between rekeying? Along similar lines, given that rekeying can be done lazily, would it be possible to rekey through the use of an external program that would be called by cron? If TCP sessions are going to be dropped, I want to be able to control, know, and plan when without giving up the added TCP security that this patch provides. -sc --=20 Sean Chittenden --OBd5C1Lgu00Gd/Tn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden <sean@chittenden.org> iEYEARECAAYFAjtfZqIACgkQn09c7x7d+q3n1wCgq2pbyWeB1qwFW+R57u+nBK8S /gwAmwbrOVaXy3pXyIZcSr9OJ0WTOSnG =o2yj -----END PGP SIGNATURE----- --OBd5C1Lgu00Gd/Tn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010725173859.C65546>