| rfc9415v6.txt | rfc9415.txt | |||
|---|---|---|---|---|
| skipping to change at line 559 ¶ | skipping to change at line 559 ¶ | |||
| random() is a PRNG that returns a pseudorandom unsigned integer | random() is a PRNG that returns a pseudorandom unsigned integer | |||
| number of appropriate size. Beware that "adapting" the length of | number of appropriate size. Beware that "adapting" the length of | |||
| the output of random() with a modulo operator (e.g., C language's | the output of random() with a modulo operator (e.g., C language's | |||
| "%") may change the distribution of the PRNG. To preserve a | "%") may change the distribution of the PRNG. To preserve a | |||
| uniform distribution, the rejection sampling technique | uniform distribution, the rejection sampling technique | |||
| [Romailler2020] can be used. | [Romailler2020] can be used. | |||
| suitable_id() is a function that checks, if possible and | suitable_id() is a function that checks, if possible and | |||
| desirable, whether a candidate numeric identifier is suitable | desirable, whether a candidate numeric identifier is suitable | |||
| (e.g., whether it is in use or has has been recently employed). | (e.g., whether it is in use or has been recently employed). | |||
| Depending on how/where the numeric identifier is used, it may or | Depending on how/where the numeric identifier is used, it may or | |||
| may not be possible (or even desirable) to check whether the | may not be possible (or even desirable) to check whether the | |||
| numeric identifier is suitable. | numeric identifier is suitable. | |||
| All the variables (in this algorithm and all the others algorithms | All the variables (in this algorithm and all the others algorithms | |||
| discussed in this document) are unsigned integers. | discussed in this document) are unsigned integers. | |||
| When an identifier is found to be unsuitable, this algorithm selects | When an identifier is found to be unsuitable, this algorithm selects | |||
| the next available numeric identifier in sequence. Thus, even when | the next available numeric identifier in sequence. Thus, even when | |||
| this algorithm selects numeric identifiers randomly, it is biased | this algorithm selects numeric identifiers randomly, it is biased | |||
| skipping to change at line 1098 ¶ | skipping to change at line 1098 ¶ | |||
| offset. offset() is constant within a given context, whereas mono() | offset. offset() is constant within a given context, whereas mono() | |||
| produces a monotonically increasing sequence for the given context. | produces a monotonically increasing sequence for the given context. | |||
| Identifiers generated with this expression will generally be | Identifiers generated with this expression will generally be | |||
| predictable within CONTEXT. | predictable within CONTEXT. | |||
| The predictability of mono(), irrespective of the predictability of | The predictability of mono(), irrespective of the predictability of | |||
| offset(), can leak information that may be of use to attackers. For | offset(), can leak information that may be of use to attackers. For | |||
| example, a node that selects transport-protocol ephemeral port | example, a node that selects transport-protocol ephemeral port | |||
| numbers, as in: | numbers, as in: | |||
| ephemeral_port = offset(Dest_IP) + mono() | ephemeral_port = offset(IP_Dst_Addr) + mono() | |||
| that is, with a per-destination offset but a global mono() function | that is, with a per-destination offset but a global mono() function | |||
| (e.g., a global counter), will leak information about the total | (e.g., a global counter), will leak information about the total | |||
| number of outgoing connections that have been issued by the | number of outgoing connections that have been issued by the | |||
| vulnerable implementation. | vulnerable implementation. | |||
| Similarly, a node that generates IPv6 Identification values as in: | Similarly, a node that generates IPv6 Identification values as in: | |||
| ID = offset(IP_src_addr, IP_dst_addr) + mono() | ID = offset(IP_Src_Addr, IP_Dst_Addr) + mono() | |||
| will leak out information about the total number of fragmented | will leak out information about the total number of fragmented | |||
| packets that have been transmitted by the vulnerable implementation. | packets that have been transmitted by the vulnerable implementation. | |||
| The vulnerabilities described in [Sanfilippo1998a], | The vulnerabilities described in [Sanfilippo1998a], | |||
| [Sanfilippo1998b], and [Sanfilippo1999] are all associated with the | [Sanfilippo1998b], and [Sanfilippo1999] are all associated with the | |||
| use of a global mono() function (i.e., with a global and constant | use of a global mono() function (i.e., with a global and constant | |||
| "CONTEXT") -- particularly when it is a linear function (constant | "CONTEXT") -- particularly when it is a linear function (constant | |||
| increments of 1). | increments of 1). | |||
| Predicting transient numeric identifiers can be of help for other | Predicting transient numeric identifiers can be of help for other | |||
| skipping to change at line 1759 ¶ | skipping to change at line 1759 ¶ | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8937] Cremers, C., Garratt, L., Smyshlyaev, S., Sullivan, N., | [RFC8937] Cremers, C., Garratt, L., Smyshlyaev, S., Sullivan, N., | |||
| and C. Wood, "Randomness Improvements for Security | and C. Wood, "Randomness Improvements for Security | |||
| Protocols", RFC 8937, DOI 10.17487/RFC8937, October 2020, | Protocols", RFC 8937, DOI 10.17487/RFC8937, October 2020, | |||
| <https://www.rfc-editor.org/info/rfc8937>. | <https://www.rfc-editor.org/info/rfc8937>. | |||
| [RFC9414] Gont, F. and I. Arce, "Unfortunate History of Transient | [RFC9414] Gont, F. and I. Arce, "Unfortunate History of Transient | |||
| Numeric Identifiers", RFC 9414, DOI 10.17487/RFC9414, June | Numeric Identifiers", RFC 9414, DOI 10.17487/RFC9414, July | |||
| 2023, <https://www.rfc-editor.org/info/rfc9414>. | 2023, <https://www.rfc-editor.org/info/rfc9414>. | |||
| [RFC9416] Gont, F. and I. Arce, "Security Considerations for | [RFC9416] Gont, F. and I. Arce, "Security Considerations for | |||
| Transient Numeric Identifiers Employed in Network | Transient Numeric Identifiers Employed in Network | |||
| Protocols", BCP 72, RFC 9416, DOI 10.17487/RFC9416, June | Protocols", BCP 72, RFC 9416, DOI 10.17487/RFC9416, July | |||
| 2023, <https://www.rfc-editor.org/info/rfc9416>. | 2023, <https://www.rfc-editor.org/info/rfc9416>. | |||
| [Romailler2020] | [Romailler2020] | |||
| Romailler, Y., "The Definitive Guide to "Modulo Bias and | Romailler, Y., "The Definitive Guide to "Modulo Bias and | |||
| How to Avoid It"!", Kudelski Security Research, July 2020, | How to Avoid It"!", Kudelski Security Research, July 2020, | |||
| <https://research.kudelskisecurity.com/2020/07/28/the- | <https://research.kudelskisecurity.com/2020/07/28/the- | |||
| definitive-guide-to-modulo-bias-and-how-to-avoid-it/>. | definitive-guide-to-modulo-bias-and-how-to-avoid-it/>. | |||
| [Sanfilippo1998a] | [Sanfilippo1998a] | |||
| Sanfilippo, S., "about the ip header id", message to the | Sanfilippo, S., "about the ip header id", message to the | |||
| End of changes. 5 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||