Subject: Re: rpc xid randomness
To: None <tech-security@netbsd.org, tech-userlevel@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-userlevel
Date: 09/06/2003 17:30:51
On Sun, Sep 07, 2003 at 05:10:24AM +0900, Jun-ichiro itojun Hagino wrote:
> > > 	given horsepower of today's machine the computation overhead is
> > > 	smaller than the benefit we'll get. (well, some of you run pdp10,
> > > 	but don't you want your pdp10 be secure against id predictability
> > > 	attacks?)
> > Perhaps good analogy might be - would you randomize phone
> > number allocation?
> 
> 	when someone can tap the wire and impersonate you by caller ID,
> 	story goes very different.

Randomizing transaction IDs does *not* provide any kind of meaningful
protection against an active attack on the RPC protocol; it just makes
it very slightly harder.

If you want protection from RPC response spoofing attacks, you need to
use encryption or authentication at a lower network layer (e.g. IPsec)
or at the RPC layer itself.  If you don't care about that, it is very
hard for me to see what good the expensive half-measure of randomizing
transaction IDs will do you -- and if you _are_ using meaningful protection
of your RPC system, it is simply annoying, pointless overhead.

Perhaps it would make sense to make XID randomization an optional feature.
However, since I suspect that the set of users who care about security,
but, you know, only a _little_ bit, is pretty small, I suspect few would
use it.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud