On Tue, Feb 07, 2012 at 08:21:55PM +0800, Marek Lindner wrote:
On Tuesday, February 07, 2012 20:12:00 Andrew Lunn wrote:
Does this sequence number have any security relevance? Does it make sense to use the TCP sequence number generation code?
There is no security relevance I know of. The idea was simply to start with random number. Random is a bit better than 1. ;-)
Where can I find the TCP sequence number code you are referring to ?
I had to go find it, since i've never looked at it before.
net/core/secure_seq.c:
__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport)
but it does not look very re-usable, since it takes all these addresses. What might be usable is:
__u32 secure_ip_id(__be32 daddr) { u32 hash[MD5_DIGEST_WORDS];
hash[0] = (__force __u32) daddr; hash[1] = net_secret[13]; hash[2] = net_secret[14]; hash[3] = net_secret[15];
md5_transform(hash, net_secret);
return hash[0]; }
passing it the last four bytes of the originator MAC address?
Andrew