Subject: Re: random ip_id must be configurable
To: Simon Burge <email@example.com>
From: David Laight <firstname.lastname@example.org>
Date: 09/13/2003 11:11:59
On Sat, Sep 13, 2003 at 05:04:01PM +1000, Simon Burge wrote:
> On Fri, Sep 12, 2003 at 06:24:21AM +0900, Jun-ichiro itojun Hagino wrote:
> > > * There are environments where the downside of reducing the (already small)
> > > ip_id space overwhelms the alleged security gains.
> > reducing? with ip_randomid(), the *guaranteed minimum* interval between
> > the generation of the same output value is 36000 calls.
> > even after 36000 calls, it is highly unlikely that we see the same
> > number generated from ip_randomid(). if you have concrete number
> > please show me.
> The following program (which originally used the kernel version of
> ip_randomid() but has been modified to use randomid(3)) shows that often
> enough, _consecutive_calls_ to randomid(3) return the _same_number_.
> This is using the 16-bit version of randomid(3) that (looks to) have the
> same configuration parameters as ip_randomid(). Very similar results
> were observed with ip_randomid() too.
> Here is some sample output showing that after 12339 calls we produced
> the same id as 55 calls prior to that, and at 465456 calls we produced
> the same id as the previous call.
Try the 20bit or 32bit generators, they only ever generate 16bit numbers!
David Laight: email@example.com