Reducing ip_id information leakage
Crist J. Clark
crist.clark at attbi.com
Wed Apr 30 16:05:44 PDT 2003
On Thu, May 01, 2003 at 02:23:44AM +0400, "."@babolo.ru wrote:
> > <<On Wed, 30 Apr 2003 16:35:24 -0500 (CDT), Mike Silbersack <silby at silby.com> said:
[snip]
> > The trouble is that we need sequences that are guaranteed not to
> > repeat too fast -- and even then we'll still break on modern networks
> > anyway, as I noted in my comment.
> Why not to use 16 bit of 32 bit pseudorandom generator?
Uhh... I might be missing a joke here, but the problem is that after
you put 65536 packets onto the wire, the next one _must_ have a
repeated IP ID (since there are only 65536 possible). Choosing a
random IP ID only can make this problem worse. As many of the
references perviously discussed or a very simple calculation on your
own will show, with a perfect random generator, after about 300
packets, there is a 50-50 chance the next packet's IP ID will
collide (good ol' "birthday paradox").
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-net
mailing list