Subject: Re: rpc xid randomness
To: None <tech-security@netbsd.org, tech-userlevel@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 09/06/2003 17:30:51
On Sun, Sep 07, 2003 at 05:10:24AM +0900, Jun-ichiro itojun Hagino wrote:
> > > given horsepower of today's machine the computation overhead is
> > > smaller than the benefit we'll get. (well, some of you run pdp10,
> > > but don't you want your pdp10 be secure against id predictability
> > > attacks?)
> > Perhaps good analogy might be - would you randomize phone
> > number allocation?
>
> when someone can tap the wire and impersonate you by caller ID,
> story goes very different.
Randomizing transaction IDs does *not* provide any kind of meaningful
protection against an active attack on the RPC protocol; it just makes
it very slightly harder.
If you want protection from RPC response spoofing attacks, you need to
use encryption or authentication at a lower network layer (e.g. IPsec)
or at the RPC layer itself. If you don't care about that, it is very
hard for me to see what good the expensive half-measure of randomizing
transaction IDs will do you -- and if you _are_ using meaningful protection
of your RPC system, it is simply annoying, pointless overhead.
Perhaps it would make sense to make XID randomization an optional feature.
However, since I suspect that the set of users who care about security,
but, you know, only a _little_ bit, is pretty small, I suspect few would
use it.
--
Thor Lancelot Simon tls@rek.tjls.com
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud