lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <48bd875d.02c3f10a.364a.7c3b@mx.google.com>
Date: Tue, 02 Sep 2008 15:30:48 -0300
From: Fernando Gont <fernando.gont@...il.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Port Randomization: New revision of our IETF
 Internet-Draft

At 11:15 a.m. 02/09/2008, coderman wrote:

>On Tue, Sep 2, 2008 at 2:06 AM, Fernando Gont <fernando.gont@...il.com> wrote:
> > ... there's no description of what Windows does
>
>some things speak for themselves... :)

What speaks for itself?

Our work is a proposal for a few alternatives for doing port 
randomization. Two of them are new, and are supposed to avoid some of 
the problems that are usually caused by a trivial port randomization 
algorithm (e.g., algorithm #1 and algorithm #2). Full stop. We simply 
provide a small survey in case you ask yourself "what is being done 
out there" by popular TCP implementations. The survey is simply an 
appendix, and was added as I was examining the Linux and *BSD code myself.



> > Also, the base Linux system already implements Algorithm #3... why
> > ... patch
>
>if you seed/key #3 poorly, as just one example. (which you reference
>via RFC4086, etc)

If algorithm #3 is seeded poorly, then I think you should document 
it, and send a patch so that that problem is fixed in the base system.



> > P.S.: The "survey" section must be about 1% of the document. I'd be glad to
> > hear comments on the rest of the document.
>
>sure...  section #4 should be:
>s/should consider randomizing/must randomize/

If anything, it should be "should randomize". "MUSTs" are meant to 
mandate specific behaviors/rules that, if not  followed, would lead 
to interoperability problems.


--
Fernando Gont
e-mail: fernando@...t.com.ar || fgont@....org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ