Date: Tue, 17 Jul 2001 20:29:02 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Mike Silbersack <silby@silby.com> Cc: freebsd-arch@FreeBSD.ORG Subject: Re: TCP Initial Sequence Numbers: We need to talk Message-ID: <20010717202901.A89611@xor.obsecurity.org> In-Reply-To: <20010717212424.X3382-100000@achilles.silby.com>; from silby@silby.com on Tue, Jul 17, 2001 at 09:49:03PM -0500 References: <20010717212424.X3382-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 17, 2001 at 09:49:03PM -0500, Mike Silbersack wrote: > In order to meet these requirements, I propose that we use the following > system: >=20 > For SYN-ACKs: Use the value of arc4random() as our ISN. >=20 > For SYNs: Use the value generated by the rfc1948 scheme, with the > modification that the secret used in the hash be changed on a weekly > basis. (This will break recycling for perhaps a minute a week, but it > will ensure that the hash can not be bruteforced and also make sure that > the system's uptime cannot be easily tracked.) >=20 > Comments are appreciated. If you're going to implement RFC 1948, why not just implement RFC 1948? :-) Kris --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VQJ9Wry0BWjoQKURAjJpAJ9gyMY14ZHHdflmArpm/PMx2N4dtQCg8UyV +/P2f7rjja0VN6VX5NicdS4= =AO2k -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010717202901.A89611>