svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf

Hans Petter Selasky hps at selasky.org
Fri Apr 3 10:41:21 UTC 2015


On 04/03/15 11:31, Robert N. M. Watson wrote:
>   TCP/IP covert and side channels

Hi,

Can you provide a reference to a document in the area of "TCP/IP covert 
and side channels" which is considered state of the art? Or is this 
litterature not publically available?

According to:

[PS]Covert Messaging Through TCP Timestamps - MIT
web.mit.edu/greenie/Public/CovertMessaginginTCP.ps


<cite> However, covert channels are seldom used due to their complexity 
</cite>

Further it gives an example about having to send 3 megabytes to transfer 
a single bit.

What I'm pointing at is that sending a handful of ping packets for 
example (hundreds of bytes), in a very short time, is enough to 
broadcast a bit through an entire firewall or router, if all the network 
interfaces get the IP ID from the same linearly incremented source, 
which is the case in FreeBSD:

> https://svnweb.freebsd.org/base/stable/10/sys/netinet/ip_var.h?annotate=263307#l307

"ip_do_randomid" is zero by default, and is not documented anywhere:

grep -r ip_do_randomid share/

> #define ip_newid() ((V_ip_do_randomid != 0) ? ip_randomid() : \
>  	  	  	htons(V_ip_id++))

What is the best efficiency ratio of the "TCP/IP covert and side 
channels" you know about? Are you absolutely sure you are talking about 
the same I'm referring to?

--HPS


More information about the svn-src-head mailing list