svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf
Robert Watson
rwatson at FreeBSD.org
Fri Apr 3 16:28:32 UTC 2015
On Fri, 3 Apr 2015, Hans Petter Selasky wrote:
> Will you mind if I rephrase that paragraph in the "inet.4" manual page from:
>
> "This closes a minor information leak which allows remote observers to
> determine the rate of packet generation on the machine by watching the
> counter."
>
> Into:
>
> "This prevents high-speed information exchange between internal and external
> observers using packet frequency modulation. An outside observer can ping
> the outside facing port at a fixed rate watching the counter. An inside
> observer can ping the inside facing port watching the same counter. Even
> though packets don't flow between the two ports, data can be exchanged by
> watching changes in the packet rate. It is believed that data can be
> exchanged in Kb/s range this way. Setting this sysctl also prevents remote
> and internal observers to determine the rate of packet generation on the
> machine by watching the counter."
Yes, I think this is overly alarmist, and it suggests that other covert
channels might not exist to be exploited if the knob is set -- which isn't
true. We don't promise that there are no covert channels in FreeBSD, and we
would be foolish if we did promise that.
Robert
More information about the svn-src-head
mailing list