tech-net: Re: random ip_id must be configurable

Subject: Re: random ip_id must be configurable
To: None <tech-net@netbsd.org>
From: Simon Burge <simonb@wasabisystems.com>
List: tech-net
Date: 09/16/2003 11:49:11
On Tue, Sep 16, 2003 at 11:16:43AM +1000, Simon Burge wrote:

Looking a little further, the original rev 1.1 of OpenBSD's
sys/netinet/ip_id.c works (with a gap of under 12000 between repeating
ids (and not 30000) as David Laight suggested).  However, in August
'99 the following change was made:

	add an inner xor to make prediction attacks against the ids harder, due
	to an attack pointed out by David Wagner.

The full diff is below.  I have _no_ idea at the math behind this
change.  With rev 1.1 of ip_id.c, I see:

id 34416  last call for id at     11636, current call     23915 (diff 12279)
id 58871  last call for id at     11923, current call     24024 (diff 12101)
id  9719  last call for id at     23785, current call     35776 (diff 11991)
id 57433  last call for id at     35699, current call     47661 (diff 11962)
id 49457  last call for id at     83259, current call     95164 (diff 11905)
id 47365  last call for id at    130809, current call    142632 (diff 11823)
id 62832  last call for id at   1458391, current call   1470204 (diff 11813)
id 31086  last call for id at   3104985, current call   3116776 (diff 11791)
id 35103  last call for id at   3400911, current call   3412697 (diff 11786)
id 64654  last call for id at  13967366, current call  13979144 (diff 11778)

With rev 1.2, I see:

id 29878  last call for id at     44797, current call     44828 (diff    31)
id  1405  last call for id at    296532, current call    296545 (diff    13)
id 37299  last call for id at   2781923, current call   2781925 (diff     2)
id 59486  last call for id at   4036328, current call   4036330 (diff     2)
id  6003  last call for id at   6085791, current call   6085792 (diff     1)
id  9479  last call for id at   9478245, current call   9478246 (diff     1)
id 24706  last call for id at  13382568, current call  13382569 (diff     1)

> Maybe we should #ifdef out the use of the current generator until this
> problem is addressed?

Can I strongly suggest that we look into the reasons for that particular
change why it changed the behaviour of the generator before changing
anything?

Simon.
--
Simon Burge                                   <simonb@wasabisystems.com>
NetBSD Development, Support and Service:   http://www.wasabisystems.com/


===================================================================
RCS file: /usr/OpenBSD/cvs/src/sys/netinet/ip_id.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- src/sys/netinet/ip_id.c     1998/12/26 12:35:12     1.1
+++ src/sys/netinet/ip_id.c     1999/08/26 13:37:01     1.2
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_id.c,v 1.1 1998/12/26 12:35:12 provos Exp $ */
+/* $OpenBSD: ip_id.c,v 1.2 1999/08/26 13:37:01 provos Exp $ */

 /*
  * Copyright 1998 Niels Provos <provos@citi.umich.edu>
@@ -76,7 +76,7 @@
 };
   
 static u_int16_t ru_x; 
-static u_int16_t ru_seed;
+static u_int16_t ru_seed, ru_seed2;
 static u_int16_t ru_a, ru_b;
 static u_int16_t ru_g;
 static u_int16_t ru_counter = 0;
@@ -136,6 +136,8 @@

        /* 15 bits of random seed */
        ru_seed = (tmp >> 16) & 0x7FFF;
+       get_random_bytes((void *) &tmp, sizeof(tmp));   
+       ru_seed2 = tmp & 0x7FFF;

        get_random_bytes((void *) &tmp, sizeof(tmp));

@@ -195,5 +197,5 @@
   
        ru_counter += i; 


-       return (ru_seed ^ pmod(ru_g,ru_x,RU_N)) | ru_msb;
+       return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x,RU_N)) | ru_msb;
 }