Re: [PATCH] OpenBSD Networking-related randomization port

From: Lorenzo Hernández García-Hierro
Date: Fri Jan 28 2005 - 13:39:25 EST

Next message: George Anzinger: "Re: High resolution timers and BH processing on -RT"
Previous message: Hugh Dickins: "Re: [PATCH] Add CONFIG_X86_APIC_OFF for i386/UP"
In reply to: Stephen Hemminger: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Stephen Hemminger: "Re: [PATCH] OpenBSD Networking-related randomization port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El vie, 28-01-2005 a las 10:02 -0800, Stephen Hemminger escribió:
> > Attached you can find a split up patch ported from grSecurity [1], as
> > Linus commented that he wouldn't get a whole-sale patch, I was working
> > on it and also studying what features of grSecurity can be implemented
> > without a development or maintenance overhead, aka less-invasive
> > implementations.
> >
> > It adds support for advanced networking-related randomization, in
> > concrete it adds support for TCP ISNs randomization, RPC XIDs
> > randomization, IP IDs randomization and finally a sub-key under the
> > Cryptographic options menu for Linux PRNG [2] enhancements (useful now
> > and also for future patch submissions), which currently has an only-one
> > option for poll sizes increasing (x2).
> >
> > As it's impact is minimal (in performance and development/maintenance
> > terms), I recommend to merge it, as it gives a basic prevention for the
> > so-called system fingerprinting (which is used most by "kids" to know
> > how old and insecure could be a target system, many time used as the
> > first, even only-one, data to decide if attack or not the target host)
> > among other things.
> >
> > There's only a missing feature that is present on grSecurity, the
> > sources ports randomization which seems achieved now by some changes
> > that can be checked out in the Linux BKBits repository:
> > http://linux.bkbits.net:8080/linux-2.6/diffs/net/ipv4/tcp_ipv4.c@xxxxx?nav=index.html|src/|src/net|src/net/ipv4|hist/net/ipv4/tcp_ipv4.c
> > (net/ipv4/tcp_ipv4.c@xxxxx)
> >
> > I'm not sure of the effectiveness of that changes, but I just prefer to
> > keep it as most simple as possible.If there are thoughts on reverting to
> > the old schema, and using obsd_rand.c code instead, just drop me a line
> > and I will modify the patch.
>
> Okay, but:
> * Need to give better explanation of why this is required,
> existing randomization code in network is compromise between
> performance and security. So you need to quantify the performance
> impact of this, and the security threat reduction.

Performance impact is none AFAIK.
I've explained them in an early reply to Adrian [1].

> * Why are the OpenBSD random functions better? because they have more
> security coolness factor?

I'm not an OpenBSD user, and no intention to being a one.
I just recognize that the functions do the same job better, as explained
in the Kconfig diffs.

> * It is hard to have two levels of security based on config options.
> Think of a distro vendor, do they ship the fast or the secure system??
>
> As always:
> * Send networking stuff to netdev@xxxxxxxxxxx

Added to CC list.

> * Please split up patches.

If you talk about removing the pool sizes increasing, then i will do it,
but i would like to know if this has any chances to get merged.

[1]: http://lkml.org/lkml/2005/1/28/139

Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmadadigitalmente

Next message: George Anzinger: "Re: High resolution timers and BH processing on -RT"
Previous message: Hugh Dickins: "Re: [PATCH] Add CONFIG_X86_APIC_OFF for i386/UP"
In reply to: Stephen Hemminger: "Re: [PATCH] OpenBSD Networking-related randomization port"
Next in thread: Stephen Hemminger: "Re: [PATCH] OpenBSD Networking-related randomization port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]