Subject: Re: synchronous ip_id
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Niels Provos <email@example.com>
Date: 02/24/2003 17:47:41
On Mon, Feb 24, 2003 at 01:09:09PM -0800, Jonathan Stone wrote:
> Under those circumstances, replacing the linear ip_id algorithm with
> something more "secure" but which may repeat very quickly, sounds
> like a bad tradeoff.
Nobody was talking about repeating very quickly. My implementation
uses a masked linear congruential generator (LCG) that almost exhausts
a 15-bit space. The high bit is toggled to avoid number collisions
and allow for rekeying.
However, 16-bit are already by itself a very tiny number space. If
you are in an environment in which 16-bit collisions are likely, it
might help to have separate ip_id counters for different destinations.
On the other hand, if you are thinking about a single high bandwidth
connection, this is not going to help you either.