On Feb 6, 2008 8:31 PM, Nikns Siankin <[EMAIL PROTECTED]> wrote: > The full paper is available at the following URL: > http://www.trusteer.com/docs/dnsopenbsd.html
I find the the fixes done in other BSDs rather ugly because they have to keep a lot of state information: * http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.10 * http://www.dragonflybsd.org/cvsweb/src/sys/netinet/ip_id.c?rev=1.7 * http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/ip_id.c?rev=1.12 A better fix would be to use the alternative scheme proposed by Niels Provos: use a small block cipher in counter mode and a different key for every destination address. See http://marc.info/?l=netbsd-tech-net&m=104610286425438 Niels used a similar scheme in scanssh. See section 3.2 of http://www.citi.umich.edu/u/provos/papers/scanssh.pdf Another option is to use the cryptographic PRNG from djbdns: http://cr.yp.to/djbdns/dns_random.html Cheers, Dries
