On Thu, 2 Sep 1999, Geoff Rehmet wrote: > > How do OpenBSD do it? > > They use arc4random(), to add a random increment.
And you do ISN = C + f(state) where C is a 250KHz counter and f is your cut-down MD5? And state = {random secret, src addr, src port, dst addr, dst port, ?} I haven't had time to read through the patch yet, I'm sorry. > > Just curious whether you have a reference for doing this or > > whether it was an ad-hoc change. Playing with cryptographic > > algorithms isn't usually a good idea unless you're sure, as I'm > > sure you know. > > Yup - dead right. The requirements in this instance are however > also slightly different to what you normally use a cryptographic > hash for. I want to let the code be picked at a bit before > it goes into the tree though. What speed difference is there between MD5 and your cut-down version? Have you benchmarked performance differences in general? I'm also still curious about your rationale/references for modifying MD5 in that way. The other comment I have is that this should probably be hidden behind a sysctl for configurability and to appease folks who might not like it. > > I'd expect Yarrow to be (perhaps quite a bit) slower than our existing > > PRNG - it's a more conservative design and uses primitives > > like SHA-1 (for > > yarrow-160). I don't know how much of an impact this would be for > > network performance. > > If it is only used to generate a secret every 5 minutes, that should > not be a problem. Sounds reasonable. Kris To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message