On Thu, Mar 15, 2001 at 09:19:11AM -0500, Claude Marinier wrote:

 > There is talk of potential vulnerabilities in the generation of TCP ISNs.
 > Where do we stand? are we quite random?

If you read the Guardent paper, you will note that NetBSD is said to be
better than both OpenBSD and FreeBSD wrt. TCP ISNs.  The algorithm we use
is much less susceptible to the statistical attack described in the paper,
because we generate a much larger number space and don't leak information
about ISNs out to the network.

There might be a couple of other things that we can do to further improve
things, but as it stands now, NetBSD is already very good in this area.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>