[Full-disclosure] Port Randomization: New revision of our IETF Internet-Draft
Fernando Gont
fernando.gont at gmail.com
Tue Sep 2 19:30:48 BST 2008
At 11:15 a.m. 02/09/2008, coderman wrote:
>On Tue, Sep 2, 2008 at 2:06 AM, Fernando Gont <fernando.gont at gmail.com> wrote:
> > ... there's no description of what Windows does
>
>some things speak for themselves... :)
What speaks for itself?
Our work is a proposal for a few alternatives for doing port
randomization. Two of them are new, and are supposed to avoid some of
the problems that are usually caused by a trivial port randomization
algorithm (e.g., algorithm #1 and algorithm #2). Full stop. We simply
provide a small survey in case you ask yourself "what is being done
out there" by popular TCP implementations. The survey is simply an
appendix, and was added as I was examining the Linux and *BSD code myself.
> > Also, the base Linux system already implements Algorithm #3... why
> > ... patch
>
>if you seed/key #3 poorly, as just one example. (which you reference
>via RFC4086, etc)
If algorithm #3 is seeded poorly, then I think you should document
it, and send a patch so that that problem is fixed in the base system.
> > P.S.: The "survey" section must be about 1% of the document. I'd be glad to
> > hear comments on the rest of the document.
>
>sure... section #4 should be:
>s/should consider randomizing/must randomize/
If anything, it should be "should randomize". "MUSTs" are meant to
mandate specific behaviors/rules that, if not followed, would lead
to interoperability problems.
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Full-Disclosure is hosted and sponsored by Secunia.