Subject: Re: rpc xid randomness
To: None <,>
From: Thor Lancelot Simon <>
List: tech-security
Date: 09/06/2003 17:30:51
On Sun, Sep 07, 2003 at 05:10:24AM +0900, Jun-ichiro itojun Hagino wrote:
> > > 	given horsepower of today's machine the computation overhead is
> > > 	smaller than the benefit we'll get. (well, some of you run pdp10,
> > > 	but don't you want your pdp10 be secure against id predictability
> > > 	attacks?)
> > Perhaps good analogy might be - would you randomize phone
> > number allocation?
> 	when someone can tap the wire and impersonate you by caller ID,
> 	story goes very different.

Randomizing transaction IDs does *not* provide any kind of meaningful
protection against an active attack on the RPC protocol; it just makes
it very slightly harder.

If you want protection from RPC response spoofing attacks, you need to
use encryption or authentication at a lower network layer (e.g. IPsec)
or at the RPC layer itself.  If you don't care about that, it is very
hard for me to see what good the expensive half-measure of randomizing
transaction IDs will do you -- and if you _are_ using meaningful protection
of your RPC system, it is simply annoying, pointless overhead.

Perhaps it would make sense to make XID randomization an optional feature.
However, since I suspect that the set of users who care about security,
but, you know, only a _little_ bit, is pretty small, I suspect few would
use it.

 Thor Lancelot Simon	                            
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud