Patch to reduce use of global IP ID value(s) to avoid leaking information
Hans Petter Selasky
hps at selasky.org
Sat Apr 4 18:23:34 UTC 2015
Hi Robert,
On 04/04/15 19:11, Robert N. M. Watson wrote:
> and it's not clear it will offer practical benefit nor allow the implementation to be at all efficient -- which is far more important to most FreeBSD users
Then what Putin stated public last year is absolutely true:
http://www.theguardian.com/world/2014/apr/24/vladimir-putin-web-breakup-internet-cia
The IPv4 protocol was intentionally designed to be such, that in any
ways trying to make it more secure, will require additional CPU
overhead, like keeping track of 2-tuples for generating per-stream IP
IDs, that it will not be feasible in practice and then vendors will do
insecure implementations instead of secure implementations to get the
needed performance. The IP ID field was then intentionally designed to
be too small, 16-bit. If Snowden leaks documents on this, would for sure
confirm this claim.
OK, Robert, I fully understand and will not touch this issue any more
before my head gets cut off :-) I appreciate your openness and
willingness to share information on this issue. You know the IPv4
history even before I came to this world.
--HPS
More information about the freebsd-net
mailing list