From owner-svn-src-head@FreeBSD.ORG Fri Apr 3 13:38:47 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C453698A; Fri, 3 Apr 2015 13:38:47 +0000 (UTC) Received: from work.netasq.com (gwlille.netasq.com [91.212.116.1]) by mx1.freebsd.org (Postfix) with ESMTP id 5A120ADE; Fri, 3 Apr 2015 13:38:46 +0000 (UTC) Received: from work.netasq.com (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id 30F0527050C6; Fri, 3 Apr 2015 15:38:40 +0200 (CEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id 00FCB27050E1; Fri, 3 Apr 2015 15:38:39 +0200 (CEST) Received: from work.netasq.com ([127.0.0.1]) by localhost (work.netasq.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id S4LRY6l2aD5o; Fri, 3 Apr 2015 15:38:39 +0200 (CEST) Received: from work.netasq.com (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id BC21E27050C6; Fri, 3 Apr 2015 15:38:39 +0200 (CEST) Date: Fri, 3 Apr 2015 15:38:38 +0200 (CEST) From: Emeric POUPON To: Hans Petter Selasky Message-ID: <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu> In-Reply-To: <551E906B.3010900@selasky.org> References: <551DA5EA.1080908@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org> <551E906B.3010900@selasky.org> Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thread-Topic: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Thread-Index: yLvj9F+IZZpoYy6ruZ4N41f1Si7/cA== Cc: Mateusz Guzik , src-committers@freebsd.org, Ian Lepore , svn-src-all@freebsd.org, Gleb Smirnoff , "Robert N. M. Watson" , svn-src-head@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 13:38:48 -0000 A good ip id random would be certainly better. But the current implementation is far from being optimized: a lock is being= held inside arc4rand, and another one for protecting the ip_id internals. We already have contention problems with the IV generated for ESP packets. = The randomized ip id, using this implementation, is my opinion not an accep= table solution. Regards, Emeric ----- Mail original ----- De: "Hans Petter Selasky" =C3=80: "Gleb Smirnoff" Cc: "Mateusz Guzik" , "Ian Lepore" , sv= n-src-all@freebsd.org, src-committers@freebsd.org, "Robert N. M. Watson" , svn-src-head@freebsd.org Envoy=C3=A9: Vendredi 3 Avril 2015 15:06:51 Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/= man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf On 04/03/15 14:41, Hans Petter Selasky wrote: > On 04/03/15 13:29, Gleb Smirnoff wrote: >> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote: >> H> "ip_do_randomid" is zero by default, and is not documented anywhere: >> H> >> H> grep -r ip_do_randomid share/ >> >> It is documented in inet(4). >> >> The actual sysctl knob doesn't match the kernel symbol name, which is >> allowed in sysctl(9). >> > > Hi, > > Will you mind if I rephrase that paragraph in the "inet.4" manual page > from: > > "This closes a minor information leak which allows remote observers to > determine the rate of packet generation on the machine by watching the > counter." > > Into: > > "This prevents high-speed information exchange between internal and > external observers using packet frequency modulation. An outside > observer can ping the outside facing port at a fixed rate watching the > counter. An inside observer can ping the inside facing port watching the > same counter. Even though packets don't flow between the two ports, data > can be exchanged by watching changes in the packet rate. It is believed > that data can be exchanged in Kb/s range this way. Setting this sysctl > also prevents remote and internal observers to determine the rate of > packet generation on the machine by watching the counter." > Hi, Maybe there will be some new applications after this discovery. No need=20 for uPnP any more. Could be nice to send text messages through=20 firewalls. Depends how many implement the IP ID counting the same way=20 like FreeBSD does ;-) --HPS _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"