Patch to reduce use of global IP ID value(s) to avoid leaking information
Robert N. M. Watson
rwatson at freebsd.org
Sat Apr 4 12:54:46 UTC 2015
On 4 Apr 2015, at 09:40, Hans Petter Selasky <hps at selasky.org> wrote:
>> On 04/03/15 23:36, Gleb Smirnoff wrote:
>> The documentation on net.inet.ip.random_id is solid and doesn't need the
>> text from your commit.
>
> Let me detail a bit more. The old text describing "random_id" clearly gives the wrong impression. It says that information is only leaking one way. It is for sure very misleading. Information can leak both from the inside to the outside and from the outside to the inside. And also between two outsiders or two insiders. That's what's scares me.
>
> Try using my testapp if you don't believe me.
>
> Given that the ICMP limit is 200 per second by default, I would guess that 199 bits could at maximum be transferred per second in between two parties using the proper algorithms.
>
> If I myself was setting up a firewall, this is the kind of stuff I would like to know about in advance.
Covert and side channels are inherent to the design of contemporary processors and operating systems -- via caches, memory bandwidth, OS scheduling, statistics, clock drift due to temperature, protocol counters, rate limiters, etc. The inherent difficulty of addressing malicious information-leak mechanisms means that our time is far better invested in trying to document and mitigate side channels than covert channels, whose existence must be taken for granted. And it's not just the IP ID field: almost any practical firewall configuration will be susceptible to lots of leaks of this sort. For example, rate limiting ICMP replies, TCP RST packets, etc, are all potential covert channels. And that is before you start letting through application-level protocols like DNS.
Instead, we simply need warning that the fundamental function of a firewall -- of communication as much as blocking or it would be a dual-homed host not a firewall -- makes it susceptible to covert channels by design. Firewalls are about limiting overt communication -- if you want to limit covert communication you need very different hardware and software designs.
Robert
More information about the freebsd-net
mailing list