From owner-freebsd-net@FreeBSD.ORG  Mon Apr 13 08:57:57 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 577F6ECE;
 Mon, 13 Apr 2015 08:57:57 +0000 (UTC)
Received: from work.netasq.com (gwlille.netasq.com [91.212.116.1])
 by mx1.freebsd.org (Postfix) with ESMTP id 144D386A;
 Mon, 13 Apr 2015 08:57:56 +0000 (UTC)
Received: from work.netasq.com (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id 8E5B22703B45;
 Mon, 13 Apr 2015 10:50:45 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id 617AD2703B3D;
 Mon, 13 Apr 2015 10:50:45 +0200 (CEST)
Received: from work.netasq.com ([127.0.0.1])
 by localhost (work.netasq.com [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id h9P7Ivo05ban; Mon, 13 Apr 2015 10:50:45 +0200 (CEST)
Received: from work.netasq.com (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id 24898270063C;
 Mon, 13 Apr 2015 10:50:45 +0200 (CEST)
Date: Mon, 13 Apr 2015 10:50:44 +0200 (CEST)
From: Emeric POUPON <emeric.poupon@stormshield.eu>
To: Hans Petter Selasky <hps@selasky.org>
Message-ID: <418217640.28098961.1428915044557.JavaMail.zimbra@stormshield.eu>
In-Reply-To: <55200A51.3090008@selasky.org>
References: <551F034A.3040402@selasky.org>
 <20150403213641.GM64665@glebius.int.ru> <551FA37B.90609@selasky.org>
 <35F9F267-EDB3-45FC-95E0-4573556BD736@freebsd.org>
 <551FF191.2090109@selasky.org> <55200A51.3090008@selasky.org>
Subject: Re: Patch to reduce use of global IP ID value(s) to avoid leaking
 information
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Thread-Topic: Patch to reduce use of global IP ID value(s) to avoid leaking
 information
Thread-Index: Qu0v+0XkdK5COiTUhzhE586HdKsX5w==
Cc: freebsd-net@freebsd.org, "Robert N. M. Watson" <rwatson@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 08:57:57 -0000

> I'm talking about sampling the IP ID value you get in return from a PING 
> response. A firewall typically has multiple ports. If pinging the 
> gateway from any of these ports cause an increment of a shared IP ID 
> value, then anyone that can ping the common firewall will see the IP ID 
> updates the other parties are doing.
>
> --HPS


Hello,

I known this is not exactly the "attack" you described (RX/TX communication using IP ID),
but our random implementation of IP ID does not completely prevents somebody from guessing the traffic made by the gateway.
By default we use a parameter (N=8192) in order not to reuse a given amount of previously used IP IDs.
If you ping the gateway and if there is no traffic, you are sure not to get the N previously received IP ID.
This is a kind of hint of the load of the gateway.


Emeric