From owner-freebsd-net  Sat May 26  0:16: 6 2001
Delivered-To: freebsd-net@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP id ECB2737B422
	for <net@FreeBSD.ORG>; Sat, 26 May 2001 00:16:02 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: from spike.unixfreak.org (spike [63.198.170.139])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id 9916C3E28; Sat, 26 May 2001 00:16:02 -0700 (PDT)
To: Kris Kennaway <kris@obsecurity.org>
Cc: Alfred Perlstein <bright@rush.net>, net@FreeBSD.ORG
Subject: Re: Randomized IP ID patch 
In-Reply-To: <20010525235011.A44657@xor.obsecurity.org>; from kris@obsecurity.org on "Fri, 25 May 2001 23:50:11 -0700"
Date: Sat, 26 May 2001 00:16:02 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010526071602.9916C3E28@bazooka.unixfreak.org>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Kris Kennaway <kris@obsecurity.org> writes:
> On Sat, May 26, 2001 at 02:46:44AM -0400, Alfred Perlstein wrote:
> > * Kris Kennaway <kris@obsecurity.org> [010526 02:38] wrote:
> > > A while back I posted a version of this which was activated by sysctl,
> > > but people didn't like the per-packet performance overhead, so here's
> > > an updated version which uses a compile-time option.  Please review;
> > > I'd like to commit this soon.
> > >
> >
> > This seems pretty cool, I'm suprised you had people objecting to
> > a single check of whether or not to run an external function.
> > (I'd rather see this configurable while the system is running).
> 
> Well, I could have done it by switching functions, but people also
> objected to the kernel bloat.  To be fair, this is a pretty minor
> information leak, so many people will not care about it.

If it makes sense to be able to switch it on and off at run-time
(e.g., it may make sense to, say, use it to compare resposne from
something), you can make the sysctl conditional on the compile-time
option.  If Alfred just wanted to be able to switch it on without
recompiling a kernel (e.g., while running GENERIC), this obviously
doesn't help.

Just food for thought, I guess.  I like it either way :-).

Thanks!

					Dima Dorfman
					dima@unixfreak.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message