Reducing ip_id information leakage
mark tinguely
tinguely at web.cs.ndsu.nodak.edu
Sun May 4 10:50:14 PDT 2003
on Wed, 30 Apr 2003 01:58:36 CDT, Mike Silbersack <silby at silby.com> said:
> It's too bad we don't have an inexpensive function we can use for the !DF
> case. I'd like to make the OpenBSD function the default for frag packets,
> but it seems just too heavyweight.
I guess I am in the mood to beat a dead horse....
1) Have a less global counter (limit wrap on highspeed connections) that
starts with a random initial number.
2) Each DF packet in this counter group, add a relative prime number.
a) can also choose a random relative prime when this counter is
created.
Results:
Keeps the 2^16 numbering space.
Less global (think per interface, or per source/destination/port as mentioned
that is done in Solaris).
The overhead is only 32 bits of storage and a couple accesses more.
--Mark Tinguely
More information about the freebsd-net
mailing list