RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: How do OpenBSD do it? They use arc4random(), to add a random increment. And you do ISN = C + f(state) where C is a 250KHz counter and f is your cut-down MD5? And state = {random secret, src addr, src port, dst addr, dst port, ?} I haven't had time to read through the patch yet, I'm sorry. Just curious whether you have a reference for doing this or whether it was an ad-hoc change. Playing with cryptographic algorithms isn't usually a good idea unless you're sure, as I'm sure you know. Yup - dead right. The requirements in this instance are however also slightly different to what you normally use a cryptographic hash for. I want to let the code be picked at a bit before it goes into the tree though. What speed difference is there between MD5 and your cut-down version? Have you benchmarked performance differences in general? I'm also still curious about your rationale/references for modifying MD5 in that way. The other comment I have is that this should probably be hidden behind a sysctl for configurability and to appease folks who might not like it. I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Sounds reasonable. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Hrm. RFC 1948 seems to warn against changing the secret while "live". It's not immediately obvious to me why this is so. Kris To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: How do OpenBSD do it? They use arc4random(), to add a random increment. And you do ISN = C + f(state) where C is a 250KHz counter and f is your cut-down MD5? And state = {random secret, src addr, src port, dst addr, dst port, ?} I haven't had time to read through the patch yet, I'm sorry. Just curious whether you have a reference for doing this or whether it was an ad-hoc change. Playing with cryptographic algorithms isn't usually a good idea unless you're sure, as I'm sure you know. Yup - dead right. The requirements in this instance are however also slightly different to what you normally use a cryptographic hash for. I want to let the code be picked at a bit before it goes into the tree though. What speed difference is there between MD5 and your cut-down version? Have you benchmarked performance differences in general? I'm also still curious about your rationale/references for modifying MD5 in that way. The other comment I have is that this should probably be hidden behind a sysctl for configurability and to appease folks who might not like it. I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Sounds reasonable. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: TCP sequence numbers
On Thu, 2 Sep 1999, Geoff Rehmet wrote: I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. Hrm. RFC 1948 seems to warn against changing the secret while live. It's not immediately obvious to me why this is so. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
TCP sequence numbers
After a bit of work on TCP sequence numbers, and generating initial sequence numbers which are difficult to predict, I have put some code together, which I belive makes the way in which FreeBSD generates initial send sequence numbers more secure. Problems with our existing scheme are that we are using a PRNG, which is seeded to start from zero, and thus we are open to attack, since the PRNG is statistically, but not cryptogrphically random. At the moment, my code still uses random() from libkern, but there are some sources of entropy in the way random() is reseeded on a regular basis, using values like the microseconds of the system clock, the current tcp_iss value, and the tcp endpoints of the last tcp connection. The patch I have developed is based on RFC1948, and also takes some ideas from the way in which Linux calculates TCP ISS values. However, unlike Linux, I am keeping the code true to RFC793's requirement for a "fictitious" 250kHz clock. Instead of uising a cut-down MD4 transform, (which is what Linux does), I have used a cut-down MD5 transform, with round 4 removed. As with the Linux code, I am using 9 32-bit words of random secret, which is rekeyed every 5 minutes. The remainder of the sequence number generation is based on our existing code. I have placed the diff in http://www.freebsd.org/~csgr/tcp_sequence.diff The diff was taken against -current as at approximately 0600 GMT 1 September 1999. testing, comments would be appreciated. Once Mark has completed his work in devrandom, I will rather use devrandom as a source of randomness. (The code still needs a little tidying.) Geoff. -- Geoff Rehmet, The Internet Solution - Infrastructure tel: +27-11-283-5462, fax: +27-11-283-5401 mobile: +27-83-292-5800 email: [EMAIL PROTECTED] URL: http://www.is.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
TCP sequence numbers
After a bit of work on TCP sequence numbers, and generating initial sequence numbers which are difficult to predict, I have put some code together, which I belive makes the way in which FreeBSD generates initial send sequence numbers more secure. Problems with our existing scheme are that we are using a PRNG, which is seeded to start from zero, and thus we are open to attack, since the PRNG is statistically, but not cryptogrphically random. At the moment, my code still uses random() from libkern, but there are some sources of entropy in the way random() is reseeded on a regular basis, using values like the microseconds of the system clock, the current tcp_iss value, and the tcp endpoints of the last tcp connection. The patch I have developed is based on RFC1948, and also takes some ideas from the way in which Linux calculates TCP ISS values. However, unlike Linux, I am keeping the code true to RFC793's requirement for a fictitious 250kHz clock. Instead of uising a cut-down MD4 transform, (which is what Linux does), I have used a cut-down MD5 transform, with round 4 removed. As with the Linux code, I am using 9 32-bit words of random secret, which is rekeyed every 5 minutes. The remainder of the sequence number generation is based on our existing code. I have placed the diff in http://www.freebsd.org/~csgr/tcp_sequence.diff The diff was taken against -current as at approximately 0600 GMT 1 September 1999. testing, comments would be appreciated. Once Mark has completed his work in devrandom, I will rather use devrandom as a source of randomness. (The code still needs a little tidying.) Geoff. -- Geoff Rehmet, The Internet Solution - Infrastructure tel: +27-11-283-5462, fax: +27-11-283-5401 mobile: +27-83-292-5800 email: geo...@is.co.za URL: http://www.is.co.za To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: TCP sequence numbers
On Wed, 1 Sep 1999, Geoff Rehmet wrote: After a bit of work on TCP sequence numbers, and generating initial sequence numbers which are difficult to predict, I have put some code together, which I belive makes the way in which FreeBSD generates initial send sequence numbers more secure. How do OpenBSD do it? The patch I have developed is based on RFC1948, and also takes some ideas from the way in which Linux calculates TCP ISS values. However, unlike Linux, I am keeping the code true to RFC793's requirement for a fictitious 250kHz clock. Instead of uising a cut-down MD4 transform, (which is what Linux does), I have used a cut-down MD5 transform, with round 4 removed. Just curious whether you have a reference for doing this or whether it was an ad-hoc change. Playing with cryptographic algorithms isn't usually a good idea unless you're sure, as I'm sure you know. As with the Linux code, I am using 9 32-bit words of random secret, which is rekeyed every 5 minutes. The remainder of the sequence number generation is based on our existing code. I have placed the diff in http://www.freebsd.org/~csgr/tcp_sequence.diff The diff was taken against -current as at approximately 0600 GMT 1 September 1999. testing, comments would be appreciated. Once Mark has completed his work in devrandom, I will rather use devrandom as a source of randomness. I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: TCP sequence numbers
I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. I will doing Yarrow-1.0A, once the IPSec stuff is around. I expect to be able to tweak it so that this his is not too heavy, and customisable. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
RE: TCP sequence numbers
How do OpenBSD do it? They use arc4random(), to add a random increment. Just curious whether you have a reference for doing this or whether it was an ad-hoc change. Playing with cryptographic algorithms isn't usually a good idea unless you're sure, as I'm sure you know. Yup - dead right. The requirements in this instance are however also slightly different to what you normally use a cryptographic hash for. I want to let the code be picked at a bit before it goes into the tree though. I'd expect Yarrow to be (perhaps quite a bit) slower than our existing PRNG - it's a more conservative design and uses primitives like SHA-1 (for yarrow-160). I don't know how much of an impact this would be for network performance. If it is only used to generate a secret every 5 minutes, that should not be a problem. To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: On TCP sequence numbers
[ Geoff Rehmet ] Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Just a funny (?) aside - while playing about with nmap here a while back, a colleague accidentally discovered that our Digital (or Compaq Tru64, if you want to be perverse) Unix 4.0E box was using a constant (?!) sequence number. Cian -- What think ye of Christ? Whose son is he? Will you, like Peter, boldly say: "Who?" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: On TCP sequence numbers
[ Geoff Rehmet ] Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Just a funny (?) aside - while playing about with nmap here a while back, a colleague accidentally discovered that our Digital (or Compaq Tru64, if you want to be perverse) Unix 4.0E box was using a constant (?!) sequence number. Cian -- What think ye of Christ? Whose son is he? Will you, like Peter, boldly say: Who? To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
On TCP sequence numbers
A topic that Mark and I have been discussing a little, is the algorithms that FreeBSD uses for generating initial TCP sequence numbers - that being with reference to the predictability of these numbers. (Work on this has been somewhere in Mark's todo list for a while.) This topic raises a few questions: How good, or how bad are the initial sequence numbers that FreeBSD uses? (It seems that we could improve them a little.) How unpredictable do we need to make the sequence numbers? Some testing with nmap shows that Linux is generating sequence numbers that are far more unpredictable than ours are. (Linux is, however, also using a 1MHz clock, as opposed to the 250kHz clock as outlined in the RFC.) We are only using a PRNG, as opposed to the entropy pool supplied by devrandom to generate sequence numbers (warning here - devrandom is only supported in the i386 port of FreeBSD). My testing indicates that we can improve the entropy input into our sequence numbers by using devrandom. However, this is VERY dependent on the entropy sources that you feed into the pool via rndcontrol(8). Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Ideally, I would like to do some improvements to our sequence number generation. Thoughts? Geoff. -- Geoff Rehmet, The Internet Solution - Infrastructure tel: +27-11-283-5462, fax: +27-11-283-5401 mobile: +27-83-292-5800 email: [EMAIL PROTECTED] URL: http://www.is.co.za To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: On TCP sequence numbers
Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Ideally, I would like to do some improvements to our sequence number generation. Thoughts? What is OpenBSD like in this regard ? AFAIR it has various algorithms for randomizing sequence numbers I think.. [Correct me if I'm wrong !] - Cillian To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
On TCP sequence numbers
A topic that Mark and I have been discussing a little, is the algorithms that FreeBSD uses for generating initial TCP sequence numbers - that being with reference to the predictability of these numbers. (Work on this has been somewhere in Mark's todo list for a while.) This topic raises a few questions: How good, or how bad are the initial sequence numbers that FreeBSD uses? (It seems that we could improve them a little.) How unpredictable do we need to make the sequence numbers? Some testing with nmap shows that Linux is generating sequence numbers that are far more unpredictable than ours are. (Linux is, however, also using a 1MHz clock, as opposed to the 250kHz clock as outlined in the RFC.) We are only using a PRNG, as opposed to the entropy pool supplied by devrandom to generate sequence numbers (warning here - devrandom is only supported in the i386 port of FreeBSD). My testing indicates that we can improve the entropy input into our sequence numbers by using devrandom. However, this is VERY dependent on the entropy sources that you feed into the pool via rndcontrol(8). Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Ideally, I would like to do some improvements to our sequence number generation. Thoughts? Geoff. -- Geoff Rehmet, The Internet Solution - Infrastructure tel: +27-11-283-5462, fax: +27-11-283-5401 mobile: +27-83-292-5800 email: geo...@is.co.za URL: http://www.is.co.za To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: On TCP sequence numbers
Another question that comes in to this is - how good a tool is nmap for evaluating the predictability of the sequence numbers we generate? Ideally, I would like to do some improvements to our sequence number generation. Thoughts? What is OpenBSD like in this regard ? AFAIR it has various algorithms for randomizing sequence numbers I think.. [Correct me if I'm wrong !] - Cillian To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message