Date: Tue, 17 Apr 2001 10:54:48 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Matt Dillon <dillon@earth.backplane.com>, Niels Provos <provos@citi.umich.edu>, Wes Peters <wes@softweyr.com>, freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <3ADC8368.C96550FE@globalstar.com> References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> <20010417103823.A49384@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > > On Tue, Apr 17, 2001 at 10:31:15AM -0700, Matt Dillon wrote: > > > > :> It's not worth doing. We would be introducing unnecessary cpu burn on > > :> every single packet we sent out, all to solve a problem that doesn't > > :> really exist. > > : > > :Well, that's why it's a sysctl defaulting to off in my patch. Don't > > :turn it on if you don't want to. > > : > > :Kris > > > > Let me put it another way: I think this sort of thing is an excellent > > example of introducing unnecessary kernel bloat into the system. Who > > gives a fart whether someone can port scan you efficiently or > > anonymously or not? I get port scanned every day. Most hackers don't > > even bother with portscans, they just try the exploit on the target > > machines directly. > > Tools, not policy.. > > You may not care about it, but others do. Some people want it. The code already exists. Put it in the source tree so those people who want it can have it, but more importantly, so we never have to explain why OpenBSD has IP ID randomization and FreeBSD does not or otherwise go through this same thread ever again. I think the only bikesh^H^H^H^H^H^H question should be whether it is (a) always built into the kernel, but has the sysctl switched off, or (b) it requires a kernel config option like, options IP_ID_RANDOMIZE (Which will not be in GENERIC) to get the code in the kernel. Personally, I like (b). It's right there for those who want it, but the bloat-watchers don't have to see that extra few bytes going to kernelland. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADC8368.C96550FE>