[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: port-xen/40739: no entropy device sourcese on 5.0_RC2 XEN3PAE_DOMU
The following reply was made to PR port-xen/40739; it has been noted by GNATS.
From: Christoph Badura <bad%bsd.de@localhost>
To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: port-xen/40739: no entropy device sourcese on 5.0_RC2 XEN3PAE_DOMU
Date: Tue, 3 Mar 2009 23:12:21 +0100
On Tue, Mar 03, 2009 at 11:02:01AM +0100, Manuel Bouyer wrote:
> On Mon, Mar 02, 2009 at 11:32:52PM +0100, Christoph Badura wrote:
> OK, so why is entropy collection disabled by default for all network
> interfaces ? Your demonstration would apply to network interfaces as well.
I don't know as I wasn't involved in that discussion. If you go and grovel
the mailing list archives, maybe you can find something.
> > But being connected to a switch is *not* being on a shared network, because
> > it hides traffic from other machines in the same logical (sub) network.
> not really, as another host on the same switch can affect jitter for
> a given host (even if they are on different vlans).
Oh, sure they can affect that. It isn't sufficient to affect it in any
random way, though. You have to affect it so that the stream of random
bits being output becomes predictable to some degree.
> Why don't you find one that back yours ?
I already took steps in that direction. I invited Steven Bellovin and
Perry Metzger to give their opinion on the matter.
Would these two be acceptable to you?
> I don't have authority; but until I find someone which can show that
> an attack is not possible though xen block devices, I'll be conservative.
If you are that concerned about a possible attack, you should rip out the
calls to rnd_add_uint32() from the network drivers.
Main Index |
Thread Index |