Subject: Re: synchronous ip_id
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Niels Provos <>
List: tech-net
Date: 02/24/2003 17:47:41
On Mon, Feb 24, 2003 at 01:09:09PM -0800, Jonathan Stone wrote:
> Under those circumstances, replacing the linear ip_id algorithm with
> something more "secure" but which may repeat very quickly, sounds
> like a bad tradeoff.
Nobody was talking about repeating very quickly.  My implementation
uses a masked linear congruential generator (LCG) that almost exhausts
a 15-bit space.  The high bit is toggled to avoid number collisions
and allow for rekeying.

However, 16-bit are already by itself a very tiny number space.  If
you are in an environment in which 16-bit collisions are likely, it
might help to have separate ip_id counters for different destinations.
On the other hand, if you are thinking about a single high bandwidth
connection, this is not going to help you either.