Re: CVS commit: src/sys/netinet

To: "Steven M. Bellovin" <smb%research.att.com@localhost>
Subject: Re: CVS commit: src/sys/netinet
From: David Laight <david%l8s.co.uk@localhost>
Date: Sun, 7 Sep 2003 20:41:02 +0100

> >One way to do this is encrypting a counter with a 32 bit block cipher,
> >but until a few minutes ago I was unaware of any. (Now I've learned of
> >one on the cryptography mailing list.)

How about a 15 or 16 bit block cipher?

You actually need to use a 31bit cipher so that you can change the key
after generating 2^31 numbers.  Otherwise the sequence repeats after
2^32 values.

> Right, but some uses for such things have stronger non-repitition 
> requirements.  For example, the TCP initial sequence number shouldn't 
> repeat for 2*maximum segment lifetime.  The IPid field shouldn't repeat 
> for somewhat longer than the fragment lifetime on the receiving system.

This all gets hard! What do you do if you run out of such numbers?

Actually the TCP initial sequence number is ok because the port number
is frozen.  After all the segment lifetime is unknown...

        David

-- 
David Laight: david%l8s.co.uk@localhost

References:
- Re: CVS commit: src/sys/netinet
  - From: Perry E. Metzger
- Re: CVS commit: src/sys/netinet
  - From: Steven M. Bellovin

Prev by Date: CVS commit: src/distrib/sets/lists/base
Next by Date: CVS commit: src/sys/arch/sparc/sparc
Previous by Thread: Re: CVS commit: src/sys/netinet
Next by Thread: Re: CVS commit: src/sys/netinet
Indexes:

Home | Main Index | Thread Index | Old Index