Re: [PATCH] OpenBSD Networking-related randomization port

From: Stephen Hemminger
Date: Fri Jan 28 2005 - 13:12:11 EST

Next message: Jörn Engel: "Re: [PATCH] OpenBSD Networking-related randomization port"
Previous message: Andi Kleen: "Re: [PATCH] Add CONFIG_X86_APIC_OFF for i386/UP"
In reply to: Adrian Bunk: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] OpenBSD Networking-related randomization port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Attached you can find a split up patch ported from grSecurity [1], as
> Linus commented that he wouldn't get a whole-sale patch, I was working
> on it and also studying what features of grSecurity can be implemented
> without a development or maintenance overhead, aka less-invasive
> implementations.
>
> It adds support for advanced networking-related randomization, in
> concrete it adds support for TCP ISNs randomization, RPC XIDs
> randomization, IP IDs randomization and finally a sub-key under the
> Cryptographic options menu for Linux PRNG [2] enhancements (useful now
> and also for future patch submissions), which currently has an only-one
> option for poll sizes increasing (x2).
>
> As it's impact is minimal (in performance and development/maintenance
> terms), I recommend to merge it, as it gives a basic prevention for the
> so-called system fingerprinting (which is used most by "kids" to know
> how old and insecure could be a target system, many time used as the
> first, even only-one, data to decide if attack or not the target host)
> among other things.
>
> There's only a missing feature that is present on grSecurity, the
> sources ports randomization which seems achieved now by some changes
> that can be checked out in the Linux BKBits repository:
> http://linux.bkbits.net:8080/linux-2.6/diffs/net/ipv4/tcp_ipv4.c@xxxxx?nav=index.html|src/|src/net|src/net/ipv4|hist/net/ipv4/tcp_ipv4.c
> (net/ipv4/tcp_ipv4.c@xxxxx)
>
> I'm not sure of the effectiveness of that changes, but I just prefer to
> keep it as most simple as possible.If there are thoughts on reverting to
> the old schema, and using obsd_rand.c code instead, just drop me a line
> and I will modify the patch.

Okay, but:
* Need to give better explanation of why this is required,
existing randomization code in network is compromise between
performance and security. So you need to quantify the performance
impact of this, and the security threat reduction.

* Why are the OpenBSD random functions better? because they have more
security coolness factor?

* It is hard to have two levels of security based on config options.
Think of a distro vendor, do they ship the fast or the secure system??

As always:
* Send networking stuff to netdev@xxxxxxxxxxx
* Please split up patches.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jörn Engel: "Re: [PATCH] OpenBSD Networking-related randomization port"
Previous message: Andi Kleen: "Re: [PATCH] Add CONFIG_X86_APIC_OFF for i386/UP"
In reply to: Adrian Bunk: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] OpenBSD Networking-related randomization port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]