Reducing ip_id information leakage
Crist J. Clark
crist.clark at attbi.com
Wed Apr 30 16:17:16 PDT 2003
On Tue, Apr 29, 2003 at 06:47:51PM -0400, Garrett Wollman wrote:
[snip]
> Index: ip_output.c
> ===================================================================
> RCS file: /home/cvs/src/sys/netinet/ip_output.c,v
> retrieving revision 1.187
> diff -u -r1.187 ip_output.c
> --- ip_output.c 12 Apr 2003 06:11:46 -0000 1.187
> +++ ip_output.c 29 Apr 2003 22:42:55 -0000
> @@ -223,17 +223,29 @@
> pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
>
> /*
> - * Fill in IP header.
> + * Fill in IP header. If we are not allowing fragmentation,
> + * then the ip_id field is meaningless, so send it as zero
> + * to reduce information leakage. Otherwise, if we are not
> + * randomizing ip_id, then don't bother to convert it to network
> + * byte order -- it's just a nonce. Note that a 16-bit counter
> + * will wrap around in less than 10 seconds at 100 Mbit/s on a
> + * medium with MTU 1500. See Steven M. Bellovin, "A Technique
> + * for Counting NATted Hosts", Proc. IMW'02, available at
> + * <http://www.research.att.com/~smb/papers/fnat.pdf>.
> */
[snip]
> - ip->ip_id = htons(ip_id++);
> + ip->ip_id = ip_id++;
This is actually bad with respect to the spirit of the paper and the
whole idea of information leakage. If I have two FreeBSD machines, one
i386 and one sparc64, they now look different to someone sniffing the
traffic. If I leave the htons(), all of my FreeBSD hosts look
alike. There is less information content in the IP ID field.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-net
mailing list