source-changes: Re: CVS commit: src/sys/netinet

Subject: Re: CVS commit: src/sys/netinet
To: Steven M. Bellovin <smb@research.att.com>
From: David Laight <david@l8s.co.uk>
List: source-changes
Date: 09/07/2003 20:41:02

> >One way to do this is encrypting a counter with a 32 bit block cipher,
> >but until a few minutes ago I was unaware of any. (Now I've learned of
> >one on the cryptography mailing list.)

How about a 15 or 16 bit block cipher?

You actually need to use a 31bit cipher so that you can change the key
after generating 2^31 numbers.  Otherwise the sequence repeats after
2^32 values.

> Right, but some uses for such things have stronger non-repitition 
> requirements.  For example, the TCP initial sequence number shouldn't 
> repeat for 2*maximum segment lifetime.  The IPid field shouldn't repeat 
> for somewhat longer than the fragment lifetime on the receiving system.

This all gets hard! What do you do if you run out of such numbers?

Actually the TCP initial sequence number is ok because the port number
is frozen.  After all the segment lifetime is unknown...

	David

-- 
David Laight: david@l8s.co.uk