From owner-svn-src-head@FreeBSD.ORG Fri Apr 3 06:27:21 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E45367B; Fri, 3 Apr 2015 06:27:21 +0000 (UTC) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 13BBA94D; Fri, 3 Apr 2015 06:27:21 +0000 (UTC) Received: from [10.0.1.17] (host81-157-243-31.range81-157.btcentralplus.com [81.157.243.31]) by cyrus.watson.org (Postfix) with ESMTPSA id C5DAA46B43; Fri, 3 Apr 2015 02:27:19 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf From: "Robert N. M. Watson" In-Reply-To: <551DEF26.4000403@selasky.org> Date: Fri, 3 Apr 2015 07:27:18 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <4B7DAA59-389F-41AE-99D8-034A7AA61C99@FreeBSD.org> References: <201504012226.t31MQedN044443@svn.freebsd.org> <1427929676.82583.103.camel@freebsd.org> <20150402123522.GC64665@FreeBSD.org> <20150402133751.GA549@dft-labs.eu> <20150402134217.GG64665@FreeBSD.org> <20150402135157.GB549@dft-labs.eu> <1427983109.82583.115.camel@freebsd.org> <20150402142318.GC549@dft-labs.eu> <20150402143420.GI64665@FreeBSD.org> <20150402153805.GD549@dft-labs.eu> <551D8143.4060509@selasky.org> <551D8945.8050906@selasky.org> <8900318B-8155-4131-A0C3-3DE169782EFC@FreeBSD.org> <551D8C6C.9060504@selasky.org> <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> <551DEF26.4000403@selasky.org> To: Hans Petter Selasky X-Mailer: Apple Mail (2.2070.6) Cc: Mateusz Guzik , Ian Lepore , svn-src-all@freebsd.org, src-committers@freebsd.org, Gleb Smirnoff , svn-src-head@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 06:27:21 -0000 On 3 Apr 2015, at 02:38, Hans Petter Selasky wrote: > I would like have a comment on one final issue about the IP ID field. >=20 > Given two [small] prime numbers: P and Q >=20 > Assume you have a firewall that separate two networks, called A and B, = that are not allowed to communicate. >=20 > In network A an application pings the firewall and sees the IP ID = field changing P steps. >=20 > In network B an application pings the firewall and sees the IP ID = field changing Q steps. >=20 > If the application in network A always see that the IP ID field is = changing P steps, it knows the application in network B did not send any = packets. >=20 > If the application in network B always see that the IP ID field is = changing Q steps, it knows the application in network A did not send any = packets. >=20 > Detecting sending and not sending packets can be used as a way of = reliable duplex binary communication. >=20 > I think the current and past implementation of the IP ID field in = FreeBSD can be used to leak information between networks, or am I = totally wrong? >=20 > As long as the IP ID counters are shared between two or more secured = networks, there will be a problem. Something along the lines of D2211 = might be a way to solve such an information leak without too much = overhead! There are countless covert channels in TCP/IP; breaking the IP = implementation to close a covert channel is probably not a worthwhile = investment. As indicated in pretty much the original RFC on the topic, IP IDs need = to be at minimum unique to a 2-tuple pair, so cannot be unique only at = the granularity of TCP or UDP connections, GRE associations, etc. = However, our current implementation keeps them globally unique, which = means they wrap much faster than necessary. Shifting to unique IP ID = spaces for IP 2-tuples would provide for a much longer wrapping time at = the cost of maintaining (and looking up!) additional state. There are = various ways to improve things -- and not all require a full set of = per-IP-2-tuple IP ID counters; for example, you could have hash buckets = based on 2 tuples. It's harder to do this in a multiprocessor-scalable = way, however, as the uniqueness requirements are global, and the IP ID = space is very small -- a more fundamental problem. In general, the world = therefore tries quite hard not to fragment, using TCP PMTU and careful = MTU selection for UDP (etc). Also, the world has become quite a lot more = homogeneous with respect to link-layer MTU over time -- e.g., with = convergence on Ethernet, although VPNs have made things a bit less fun. Robert=