Reducing ip_id information leakage
Mike Silbersack
silby at silby.com
Wed Apr 30 14:35:40 PDT 2003
On Wed, 30 Apr 2003, Garrett Wollman wrote:
> What we'd really like is cheap random sequences on Z/65536Z. It is
> fairly trivial to generate cheap non-random sequences on that group --
> there's a whole family of trivial ones, but these are easy to analyze.
> Ultimately I don't think it's really worth that much effort, and the
> DF trick, since it's normally enabled for all TCP sessions, gives us
> 99% of the value at 0.1% of the cost.
>
> -GAWollman
I think that even a trivial pseudo-random sequence would be good to
implement. With the standard ip_id++ sequence, you can precisely monitor
the number of packets sent and also determine if two IPs are shared by the
machine without any work. Any sort of psuedo-random sequence would at
least require you to go through some work to determine any information.
I have this nagging feeling that taking most TCP sessions out of the
equation makes the obfuscation of the remaining ip_id'd packets more
important, but I can't figure out why exactly. Do we set the DF flag on
most UDP and ICMP packets?
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list