Reducing ip_id information leakage
Garrett Wollman
wollman at lcs.mit.edu
Wed Apr 30 13:18:54 PDT 2003
<<On Wed, 30 Apr 2003 01:58:36 -0500 (CDT), Mike Silbersack <silby at silby.com> said:
> Looks good to me, I've been contemplating doing just this for a while.
> It's too bad we don't have an inexpensive function we can use for the !DF
> case. I'd like to make the OpenBSD function the default for frag packets,
> but it seems just too heavyweight..
What we'd really like is cheap random sequences on Z/65536Z. It is
fairly trivial to generate cheap non-random sequences on that group --
there's a whole family of trivial ones, but these are easy to analyze.
Ultimately I don't think it's really worth that much effort, and the
DF trick, since it's normally enabled for all TCP sessions, gives us
99% of the value at 0.1% of the cost.
-GAWollman
More information about the freebsd-net
mailing list