Subject: Re: rpc xid randomness
To: None <>
From: Jun-ichiro itojun Hagino <>
List: tech-security
Date: 09/07/2003 15:06:58
> > > 	when someone can tap the wire and impersonate you by caller ID,
> > > 	story goes very different.
> > Randomizing transaction IDs does *not* provide any kind of meaningful
> > protection against an active attack on the RPC protocol; it just makes
> > it very slightly harder.
> 	why are we using (poorly-designed) pseudorandom number instead of
> 	sequential number right now?

	note that current time.tv_sec/usec method does not guarantee
	non-reuse, at all.  therefore it does not satisfy the requirement for
	xid.  sequential number and niels' generator do satisfy the requirement.