svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf

George Neville-Neil gnn at neville-neil.com
Fri Apr 3 14:00:35 UTC 2015


OK, top post.

This is a general discussion.  Move to net@ and get this out of our 
commit mails please.

Best,
George

On 3 Apr 2015, at 9:38, Emeric POUPON wrote:

> A good ip id random would be certainly better.
> But the current implementation is far from being optimized: a lock is 
> being held inside arc4rand, and another one for protecting the ip_id 
> internals.
> We already have contention problems with the IV generated for ESP 
> packets. The randomized ip id, using this implementation, is my 
> opinion not an acceptable solution.
>
> Regards,
>
> Emeric
>
>
> ----- Mail original -----
> De: "Hans Petter Selasky" <hps at selasky.org>
> À: "Gleb Smirnoff" <glebius at FreeBSD.org>
> Cc: "Mateusz Guzik" <mjguzik at gmail.com>, "Ian Lepore" 
> <ian at freebsd.org>, svn-src-all at freebsd.org, 
> src-committers at freebsd.org, "Robert N. M. Watson" 
> <rwatson at FreeBSD.org>, svn-src-head at freebsd.org
> Envoyé: Vendredi 3 Avril 2015 15:06:51
> Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools 
> share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec 
> sys/netpfil/pf
>
> On 04/03/15 14:41, Hans Petter Selasky wrote:
>> On 04/03/15 13:29, Gleb Smirnoff wrote:
>>> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote:
>>> H> "ip_do_randomid" is zero by default, and is not documented 
>>> anywhere:
>>> H>
>>> H> grep -r ip_do_randomid share/
>>>
>>> It is documented in inet(4).
>>>
>>> The actual sysctl knob doesn't match the kernel symbol name, which 
>>> is
>>> allowed in sysctl(9).
>>>
>>
>> Hi,
>>
>> Will you mind if I rephrase that paragraph in the "inet.4" manual 
>> page
>> from:
>>
>> "This closes a minor information leak which allows remote observers 
>> to
>> determine the rate of packet generation on the machine by watching 
>> the
>> counter."
>>
>> Into:
>>
>> "This prevents high-speed information exchange between internal and
>> external observers using packet frequency modulation. An outside
>> observer can ping the outside facing port at a fixed rate watching 
>> the
>> counter. An inside observer can ping the inside facing port watching 
>> the
>> same counter. Even though packets don't flow between the two ports, 
>> data
>> can be exchanged by watching changes in the packet rate. It is 
>> believed
>> that data can be exchanged in Kb/s range this way. Setting this 
>> sysctl
>> also prevents remote and internal observers to determine the rate of
>> packet generation on the machine by watching the counter."
>>
>
> Hi,
>
> Maybe there will be some new applications after this discovery. No 
> need
> for uPnP any more. Could be nice to send text messages through
> firewalls. Depends how many implement the IP ID counting the same way
> like FreeBSD does ;-)
>
> --HPS
>
> _______________________________________________
> svn-src-all at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-src-all
> To unsubscribe, send any mail to "svn-src-all-unsubscribe at freebsd.org"


More information about the svn-src-head mailing list