Date: Mon, 16 Apr 2001 23:30:42 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Matt Dillon <dillon@earth.backplane.com> Cc: Niels Provos <provos@citi.umich.edu>, Kris Kennaway <kris@obsecurity.org>, Wes Peters <wes@softweyr.com>, freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416233042.A21394@xor.obsecurity.org> In-Reply-To: <200104170157.f3H1v4d87804@earth.backplane.com>; from dillon@earth.backplane.com on Mon, Apr 16, 2001 at 06:57:04PM -0700 References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 06:57:04PM -0700, Matt Dillon wrote: >=20 > :No reasoning. You do not need the htons(). The fragment ids just > :need to be unique. An htons() does not change that property. I dont > :like that code very much. A variable-block-size cipher in counter > :mode would do the job better. > : > :However, what many ppl do not realize is that you can use predictable > :ip ids to anonymously port scan machines. Bugtraq talks about how to > :do that. > : > :Niels. >=20 > It's not worth doing. We would be introducing unnecessary cpu burn on > every single packet we sent out, all to solve a problem that doesn't > really exist. Well, that's why it's a sysctl defaulting to off in my patch. Don't turn it on if you don't want to. Kris --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62+MSWry0BWjoQKURAgE9AJ96+j/E1Qs1Z1zMQq98Ig3S2lXjcwCg6V9k sRXiXBxL0MznuvHiSe7j/vk= =rx/L -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010416233042.A21394>