Subject: Re: random ip_id must be configurable
To: Simon Burge <>
From: David Laight <>
List: tech-net
Date: 09/13/2003 11:11:59
On Sat, Sep 13, 2003 at 05:04:01PM +1000, Simon Burge wrote:
> On Fri, Sep 12, 2003 at 06:24:21AM +0900, Jun-ichiro itojun Hagino wrote:
> > >  * There are environments where the downside of reducing the (already small)
> > >    ip_id space overwhelms the alleged security gains.
> > 
> > 	reducing?  with ip_randomid(), the *guaranteed minimum* interval between
> > 	the generation of the same output value is 36000 calls.
> > 	even after 36000 calls, it is highly unlikely that we see the same
> > 	number generated from ip_randomid().  if you have concrete number
> > 	please show me.
> The following program (which originally used the kernel version of
> ip_randomid() but has been modified to use randomid(3)) shows that often
> enough, _consecutive_calls_ to randomid(3) return the _same_number_.
> This is using the 16-bit version of randomid(3) that (looks to) have the
> same configuration parameters as ip_randomid().  Very similar results
> were observed with ip_randomid() too.
> Here is some sample output showing that after 12339 calls we produced
> the same id as 55 calls prior to that, and at 465456 calls we produced
> the same id as the previous call.

Try the 20bit or 32bit generators, they only ever generate 16bit numbers!


David Laight: