Patch to reduce use of global IP ID value(s) to avoid leaking information
Hans Petter Selasky
hps at selasky.org
Sat Apr 4 08:39:49 UTC 2015
Hi Gleb,
On 04/03/15 23:36, Gleb Smirnoff wrote:
> The documentation on net.inet.ip.random_id is solid and doesn't need the
> text from your commit.
Let me detail a bit more. The old text describing "random_id" clearly
gives the wrong impression. It says that information is only leaking one
way. It is for sure very misleading. Information can leak both from the
inside to the outside and from the outside to the inside. And also
between two outsiders or two insiders. That's what's scares me.
Try using my testapp if you don't believe me.
Given that the ICMP limit is 200 per second by default, I would guess
that 199 bits could at maximum be transferred per second in between two
parties using the proper algorithms.
If I myself was setting up a firewall, this is the kind of stuff I would
like to know about in advance.
--HPS
More information about the freebsd-net
mailing list