Subject: Re: rpc xid randomness
To: None <email@example.com>
From: Jun-ichiro itojun Hagino <firstname.lastname@example.org>
Date: 09/07/2003 15:06:58
> > > when someone can tap the wire and impersonate you by caller ID,
> > > story goes very different.
> > Randomizing transaction IDs does *not* provide any kind of meaningful
> > protection against an active attack on the RPC protocol; it just makes
> > it very slightly harder.
> why are we using (poorly-designed) pseudorandom number instead of
> sequential number right now?
note that current time.tv_sec/usec method does not guarantee
non-reuse, at all. therefore it does not satisfy the requirement for
xid. sequential number and niels' generator do satisfy the requirement.