Date: Mon, 13 Apr 2015 10:50:44 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: Hans Petter Selasky <hps@selasky.org> Cc: freebsd-net@freebsd.org, "Robert N. M. Watson" <rwatson@freebsd.org> Subject: Re: Patch to reduce use of global IP ID value(s) to avoid leaking information Message-ID: <418217640.28098961.1428915044557.JavaMail.zimbra@stormshield.eu> In-Reply-To: <55200A51.3090008@selasky.org> References: <551F034A.3040402@selasky.org> <20150403213641.GM64665@glebius.int.ru> <551FA37B.90609@selasky.org> <35F9F267-EDB3-45FC-95E0-4573556BD736@freebsd.org> <551FF191.2090109@selasky.org> <55200A51.3090008@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm talking about sampling the IP ID value you get in return from a PING > response. A firewall typically has multiple ports. If pinging the > gateway from any of these ports cause an increment of a shared IP ID > value, then anyone that can ping the common firewall will see the IP ID > updates the other parties are doing. > > --HPS Hello, I known this is not exactly the "attack" you described (RX/TX communication using IP ID), but our random implementation of IP ID does not completely prevents somebody from guessing the traffic made by the gateway. By default we use a parameter (N=8192) in order not to reuse a given amount of previously used IP IDs. If you ping the gateway and if there is no traffic, you are sure not to get the N previously received IP ID. This is a kind of hint of the load of the gateway. Emeric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?418217640.28098961.1428915044557.JavaMail.zimbra>