Patch to reduce use of global IP ID value(s) to avoid leaking information
Emeric POUPON
emeric.poupon at stormshield.eu
Mon Apr 13 08:57:57 UTC 2015
> I'm talking about sampling the IP ID value you get in return from a PING
> response. A firewall typically has multiple ports. If pinging the
> gateway from any of these ports cause an increment of a shared IP ID
> value, then anyone that can ping the common firewall will see the IP ID
> updates the other parties are doing.
>
> --HPS
Hello,
I known this is not exactly the "attack" you described (RX/TX communication using IP ID),
but our random implementation of IP ID does not completely prevents somebody from guessing the traffic made by the gateway.
By default we use a parameter (N=8192) in order not to reuse a given amount of previously used IP IDs.
If you ping the gateway and if there is no traffic, you are sure not to get the N previously received IP ID.
This is a kind of hint of the load of the gateway.
Emeric
More information about the freebsd-net
mailing list