Subject: Re: rpc xid randomness
To: None <fvdl@vaasje.org>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-security
Date: 09/07/2003 04:55:48
> On Sat, Sep 06, 2003 at 03:00:32PM -0400, Thor Lancelot Simon wrote:
> > I don't think it actually does matter.  I also know that Larry McVoy
> > measured the overhead of randomizing RPC XIDs (and PIDs, and a number of 
> > other things that OpenBSD randomizes) and concluded that it was quite large,
> > for the net benefit (which I believe he correctly characterized as small
> > or, in some cases, nonexistent).
> 
> I agree. If you want secure RPC, then do it the proper way, and import
> the actual authenticated secure RPC code (which will be needed for other
> purposes, like NFSv4, anyway). We don't have it yet, but I think
> at least one of Free/OpenBSD does have it.

	that is separate story, IMHO.  secure RPC is needed, but unpredictable
	id (xid in this case) is also needed.

itojun