Date: Fri, 03 Apr 2015 23:16:58 +0200 From: Hans Petter Selasky <hps@selasky.org> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Gleb Smirnoff <glebius@FreeBSD.org>, "Robert N. M. Watson" <rwatson@freebsd.org> Subject: Patch to reduce use of global IP ID value(s) to avoid leaking information Message-ID: <551F034A.3040402@selasky.org>
next in thread | raw e-mail | index | archive | help
Hi, Moving this discussion away from the committers list, like requested by Gorge N. On 04/03/15 17:14, Gleb Smirnoff wrote:> Hans, > > What the hell? At Fri, 3 Apr 2015 15:41:21 +0300 (MSK) you ask: An expression like that requires a good answer. I've pulled together some parts and pieces from some existing code to make a test application showing the problem. Maybe when you hear the problem with your own ears, you will get it. Setup: I'm running 11-current prior to Gleb's IP ID commits. Possibly Gleb's IP ID commits won't change much. This little crude application I've called "pingphone" almost allows you to speak PCM audio through ICMP packets with zero payload. You need a computer with a sound card that can handle 8KHz PCM which plays through the default /dev/dsp ! Set the default audio adapter using: sysctl hw.snd.default_unit=XXX Also make sure that "kern.hz" is set to 1000 or 8000 and not 100. Else change it and reboot. fetch http://home.selasky.org:8192/privat/pingphone/pingphone.c Or try this if the above fails: fetch http://home.selasky.org/privat/pingphone/pingphone.c Compile it: cc -Wall pingphone.c Let me know if it doesn't compile. Start the ping recorder on localhost (IPv4): ./a.out -m 1 -T 127.0.0.1 Start audio producer on localhost: ./a.out -m 0 -T 127.0.0.1 Stop audio producer on localhost. Start the audio producer from another box so that the traffic goes accross a real network. Maybe inside a jail too? ./a.out -m 0 -T 192.168.x.x Still don't understand what the problem is? Should I make it play some Beethoven piece perhaps ;-) When you're done you maybe want to restore the ICMP limit back to the default: sysctl net.inet.icmp.icmplim=200 What's stated in: https://svnweb.freebsd.org/changeset/base/281024 Is correct. I see no technical reason to pull that out. For the future I've made a new project branch called "hps_head" where I will do development for sys/net/ sys/netinet and sys/netinet6 if I need. Gleb and Robert: You will have -current all to yourself and I hope to not receive any further angry comments from you regarding the issues that appeared this easter. Thank you for the attention. --HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?551F034A.3040402>