svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf

Emeric POUPON emeric.poupon at stormshield.eu
Fri Apr 3 13:38:48 UTC 2015 

A good ip id random would be certainly better.
But the current implementation is far from being optimized: a lock is being held inside arc4rand, and another one for protecting the ip_id internals.
We already have contention problems with the IV generated for ESP packets. The randomized ip id, using this implementation, is my opinion not an acceptable solution.

Regards,

Emeric


----- Mail original -----
De: "Hans Petter Selasky" <hps at selasky.org>
À: "Gleb Smirnoff" <glebius at FreeBSD.org>
Cc: "Mateusz Guzik" <mjguzik at gmail.com>, "Ian Lepore" <ian at freebsd.org>, svn-src-all at freebsd.org, src-committers at freebsd.org, "Robert N. M. Watson" <rwatson at FreeBSD.org>, svn-src-head at freebsd.org
Envoyé: Vendredi 3 Avril 2015 15:06:51
Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf

On 04/03/15 14:41, Hans Petter Selasky wrote:
> On 04/03/15 13:29, Gleb Smirnoff wrote:
>> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote:
>> H> "ip_do_randomid" is zero by default, and is not documented anywhere:
>> H>
>> H> grep -r ip_do_randomid share/
>>
>> It is documented in inet(4).
>>
>> The actual sysctl knob doesn't match the kernel symbol name, which is
>> allowed in sysctl(9).
>>
>
> Hi,
>
> Will you mind if I rephrase that paragraph in the "inet.4" manual page
> from:
>
> "This closes a minor information leak which allows remote observers to
> determine the rate of packet generation on the machine by watching the
> counter."
>
> Into:
>
> "This prevents high-speed information exchange between internal and
> external observers using packet frequency modulation. An outside
> observer can ping the outside facing port at a fixed rate watching the
> counter. An inside observer can ping the inside facing port watching the
> same counter. Even though packets don't flow between the two ports, data
> can be exchanged by watching changes in the packet rate. It is believed
> that data can be exchanged in Kb/s range this way. Setting this sysctl
> also prevents remote and internal observers to determine the rate of
> packet generation on the machine by watching the counter."
>

Hi,

Maybe there will be some new applications after this discovery. No need 
for uPnP any more. Could be nice to send text messages through 
firewalls. Depends how many implement the IP ID counting the same way 
like FreeBSD does ;-)

--HPS

_______________________________________________
svn-src-all at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe at freebsd.org"

More information about the svn-src-all mailing list