From owner-freebsd-arch  Tue Jul 17 20:29: 6 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-62.dsl.lsan03.pacbell.net [63.207.60.62])
	by hub.freebsd.org (Postfix) with ESMTP id BD98B37B401
	for <freebsd-arch@FreeBSD.ORG>; Tue, 17 Jul 2001 20:29:03 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 9F92166BA6; Tue, 17 Jul 2001 20:29:02 -0700 (PDT)
Date: Tue, 17 Jul 2001 20:29:02 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Mike Silbersack <silby@silby.com>
Cc: freebsd-arch@FreeBSD.ORG
Subject: Re: TCP Initial Sequence Numbers: We need to talk
Message-ID: <20010717202901.A89611@xor.obsecurity.org>
References: <20010717212424.X3382-100000@achilles.silby.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010717212424.X3382-100000@achilles.silby.com>; from silby@silby.com on Tue, Jul 17, 2001 at 09:49:03PM -0500
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG


--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 17, 2001 at 09:49:03PM -0500, Mike Silbersack wrote:

> In order to meet these requirements, I propose that we use the following
> system:
>=20
> For SYN-ACKs:  Use the value of arc4random() as our ISN.
>=20
> For SYNs:  Use the value generated by the rfc1948 scheme, with the
> modification that the secret used in the hash be changed on a weekly
> basis.  (This will break recycling for perhaps a minute a week, but it
> will ensure that the hash can not be bruteforced and also make sure that
> the system's uptime cannot be easily tracked.)
>=20
> Comments are appreciated.

If you're going to implement RFC 1948, why not just implement RFC
1948? :-)

Kris

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7VQJ9Wry0BWjoQKURAjJpAJ9gyMY14ZHHdflmArpm/PMx2N4dtQCg8UyV
+/P2f7rjja0VN6VX5NicdS4=
=AO2k
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message