Thank you for your response. > Um, no... it doesn't say that either. Cutting and pasting from your > own results, the difficulty level shows no change: Sorry, It's my mistake. I've reposted a correct result already. Please see it. It show the patch can generate true random class sequence number. > > But Some people may regard the vulnerability as a serious one, so > > I propose it as one of the kernel options for such peoples. > > Huh? Who? > It is obliged to show the kernel can generate true random class TCP sequence number with a security checker to deriver the product for customers. At least, some of our customers say that. In those case, they prefer security to performance. > You're still vulnerable to TCP hijacking attacks if the attacker is on > your local subnet, or on the network path between the client and the > server. No use of a crypto hash for a checksum will change that. If > you're concerned about TCP hijacking attacks, the only solution is > real crypto; either ssh or IPSEC. > In all likelihood, it may be the best solution. I'm willing to agree with you at this point. Nowadays, Linux kernel come to be used for embedded use. However it is diffcult to choose this solution in such case. Because they do not have enough disk space to install them in most cases. So, I proposed to make the kernel used MD5 algorithm optionaly. > The MD4 hash provides adequate protection for someone who is > attempting a brute-force attack; although they can probably succeed > within a day or so, or perhaps even in hours, that's still enough that > that it won't be practical to attack a TCP connection in real time. > It may be true from practical point of view. Sincerely, yours. -- --------------------------- Takeharu KATO E-mail: tk1219@alles.or.jp - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
