HPE Community
Operating System - HP-UX
1825950 Members
3358 Online
109690 Solutions
New Discussion

nddconf More random tcp sequence tcp_isn_passphrase

 
SOLVED
Go to solution
Gunwant
Occasional Advisor

‎12-22-2008 01:12 AM

‎12-22-2008 01:12 AM

nddconf More random tcp sequence tcp_isn_passphrase

Hi all,

I want to set tcp_isn_passphrase parameter value to 0 for tcp.

I am using ndd -set /dev/tcp tcp_isn_passphrase 0
command to set it to 0.

But this value is not reflected in nddconf file.

When I manually chenged NDD_VALUE[5]=0,
and run following command

ndd -get /dev/tcp tcp_isn_passphrase

it give result 1.

i want to know , do i need to reboot the machine to get values reflected in nddconf file ,

or there is any other to achieve the same .

Thanks in advance .


Don't wait be create
0 Kudos
Reply
11 REPLIES 11
Laurent Menase
Honored Contributor

‎12-22-2008 03:53 AM

‎12-22-2008 03:53 AM

Solution

Re: nddconf More random tcp sequence tcp_isn_passphrase


when you do ndd -set /dev/tcp tcp_isn_passphrase 0
it set a isn passphrase to the string "0".
Once enabled there is no way to disable tcp_isn_passphrase,

so when you do ndd -get /dev/tcp tcp_isn_passphrase
it answeres 1 which means that tcp_isn_passphrase had been set.
- it never shows the value for security considerations-
So even if you reboot , and with tcp_isn_passphrase set to 0 in nddconf,
ndd -get /dev/tcp tcp_isn_passphrase will always return 1

To disable tcp_isn_passphrase, you need to remove it from nddconf and reboot.
Reply
Steven E. Protter
Exalted Contributor

‎12-22-2008 04:02 AM

‎12-22-2008 04:02 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

Shalom,

change the value manually in the nddconf file. Doing it on the fly as you did, does not change nddconf

Use the same format as other parameters.

Reboot is not required.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Gunwant
Occasional Advisor

‎12-22-2008 10:47 PM

‎12-22-2008 10:47 PM

Re: nddconf More random tcp sequence tcp_isn_passphrase

Thanks both of you
Don't wait be create
0 Kudos
Reply
rick jones
Honored Contributor

‎01-06-2009 10:17 AM

‎01-06-2009 10:17 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

Is there a particular reason you want more predictable initial sequence numbers??
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Gunwant
Occasional Advisor

‎01-06-2009 09:34 PM

‎01-06-2009 09:34 PM

Re: nddconf More random tcp sequence tcp_isn_passphrase

According to standards it's a security measure to make sure of usinf more random tcp numbers
Don't wait be create
0 Kudos
Reply
Laurent Menase
Honored Contributor

‎01-07-2009 12:46 AM

‎01-07-2009 12:46 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

And setting tcp_isn_passphrase to 0 will make them to be random. Because the passphrase will be "0"


0 Kudos
Reply
Gunwant
Occasional Advisor

‎01-07-2009 01:10 AM

‎01-07-2009 01:10 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase


No no, I want to check if tcp_isn_passphrase is set or not.

I didn't know how to set and unset the value
tcp_isn_passphrase.

Actually , the result of
ndd -get /dev/tcp tcp_isn_passphrase is 1 thet means it is set to some value. Not necessary to ZERO 0.
Don't wait be create
0 Kudos
Reply
Laurent Menase
Honored Contributor

‎01-07-2009 02:01 AM

‎01-07-2009 02:01 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

Yes
ndd -get /dev/tcp tcp_isn_passphrase
1 -> means is set whatever value it is and
can't be reset
ndd -get /dev/tcp tcp_isn_passphrase
0 -> means is not set


as soon as a ndd -set /dev/tcp tcp_isn_passphrase anything
is made, it sets the passphrase to "anything"
and there is not way to reset it
so ndd -get /dev/tcp tcp_isn_passphrase will answer 1

0 Kudos
Reply
Gunwant
Occasional Advisor

‎01-07-2009 02:23 AM

‎01-07-2009 02:23 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

thanks
Don't wait be create
0 Kudos
Reply
Gunwant
Occasional Advisor

‎01-07-2009 02:52 AM

‎01-07-2009 02:52 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase


I have a question , is this the default configuration (tcp_isn_passphrase with some value) or we have to do it manually after installation.

How the value is used to generate random nombers.
Don't wait be create
0 Kudos
Reply
Laurent Menase
Honored Contributor

‎01-07-2009 03:07 AM

‎01-07-2009 03:07 AM

Re: nddconf More random tcp sequence tcp_isn_passphrase

> I have a question , is this the default
> configuration (tcp_isn_passphrase with some
> value) or we have to do it manually after
> installation.

by default tcp_isn_passphrase is not enabled.

As soon as you enter a line with tcp_isn_passphrase param in nddconf, then it is enabled.

> How the value is used to generate random
> nombers.

For security reason this can't be explained.
It hashes it with some other none deterministic values of the kernel to obtain a random seed
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.