Subject: Re: CVS commit: src/sys/netinet
To: None <perry@piermont.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-crypto
Date: 09/07/2003 05:03:01
> > I'm not sure that arc4random is appropriate for ip sequence numbers,
> > it doesn't have the correct properties.  In particular the same output
> > value can be generated by adjacent calls to the function - which you
> > definitely don't want!  This will be true for any generator with more
> > that 32 bits of state (or rather if the required value is smaller than
> > the state).
> 
> Ideally, we want something that generates an unpredictable ergodic
> sequence of some sort -- that is to say, a sequence guaranteed to
> cycle through all possible values, but in an unpredictable order.
> 
> I'm not entirely sure what the right way to do this is, though.

	i'm thinking of turning niels' collision-resistant generator code
	(sys/netinet/ip_id.c) into some generic library function, maybe in
	libc.  it should make it easier to use it in multiple places.

	- each consumer has to have context
	- each consumer initialize context with (1) rekey timer, (2) # of bits
	  she wants (like 16bit in IPv4 fragment ID case), and such.
	- a function gives the consumer collision-resistant number stream
	- a function to free() the context

	rough draft is below.  does it look ok?

itojun


	/* in library-local header */
	struct {
		/* users shouldn't look at the content */
	} randomid_ctxt;

	/* in public header */
	struct randomid_ctxt;
	typedef struct randomid_ctxt *randomid_t;

	/*
	 * returns 0 on success (and sets *p)
	 * negative on failure (-EINVAL and such) (and sets *p to NULL)
	 * supported bits: 32 and 16 for now, maybe 20 too?
	 * (need to choose prime carefully so we can't just support any "bits")
	 */
	int randomid_init(int bits, long timeout, randomid_t *p);

	u_int32_t randomid(randomid_t p);

	void randomid_free(randomid_t p);