From owner-svn-src-head@FreeBSD.ORG Fri Apr 3 14:00:35 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2035657F; Fri, 3 Apr 2015 14:00:35 +0000 (UTC) Received: from vps.hungerhost.com (vps.hungerhost.com [216.38.53.176]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DE134D29; Fri, 3 Apr 2015 14:00:34 +0000 (UTC) Received: from ool-45785af5.dyn.optonline.net ([69.120.90.245]:58336 helo=[192.168.254.26]) by vps.hungerhost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.82) (envelope-from ) id 1Ye29A-0005oz-On; Fri, 03 Apr 2015 10:00:32 -0400 From: "George Neville-Neil" To: "Emeric POUPON" Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Date: Fri, 03 Apr 2015 10:00:22 -0400 Message-ID: <195BF758-2AF8-4758-9CA9-681337EE4FBF@neville-neil.com> In-Reply-To: <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu> References: <551DA5EA.1080908@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org> <551E906B.3010900@selasky.org> <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (1.9.1r5084) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vps.hungerhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - neville-neil.com X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id: gnn@neville-neil.com Cc: Hans Petter Selasky , Mateusz Guzik , src-committers@freebsd.org, Ian Lepore , svn-src-all@freebsd.org, Gleb Smirnoff , "Robert N. M. Watson" , svn-src-head@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 14:00:35 -0000 OK, top post. This is a general discussion. Move to net@ and get this out of our commit mails please. Best, George On 3 Apr 2015, at 9:38, Emeric POUPON wrote: > A good ip id random would be certainly better. > But the current implementation is far from being optimized: a lock is > being held inside arc4rand, and another one for protecting the ip_id > internals. > We already have contention problems with the IV generated for ESP > packets. The randomized ip id, using this implementation, is my > opinion not an acceptable solution. > > Regards, > > Emeric > > > ----- Mail original ----- > De: "Hans Petter Selasky" > À: "Gleb Smirnoff" > Cc: "Mateusz Guzik" , "Ian Lepore" > , svn-src-all@freebsd.org, > src-committers@freebsd.org, "Robert N. M. Watson" > , svn-src-head@freebsd.org > Envoyé: Vendredi 3 Avril 2015 15:06:51 > Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools > share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec > sys/netpfil/pf > > On 04/03/15 14:41, Hans Petter Selasky wrote: >> On 04/03/15 13:29, Gleb Smirnoff wrote: >>> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote: >>> H> "ip_do_randomid" is zero by default, and is not documented >>> anywhere: >>> H> >>> H> grep -r ip_do_randomid share/ >>> >>> It is documented in inet(4). >>> >>> The actual sysctl knob doesn't match the kernel symbol name, which >>> is >>> allowed in sysctl(9). >>> >> >> Hi, >> >> Will you mind if I rephrase that paragraph in the "inet.4" manual >> page >> from: >> >> "This closes a minor information leak which allows remote observers >> to >> determine the rate of packet generation on the machine by watching >> the >> counter." >> >> Into: >> >> "This prevents high-speed information exchange between internal and >> external observers using packet frequency modulation. An outside >> observer can ping the outside facing port at a fixed rate watching >> the >> counter. An inside observer can ping the inside facing port watching >> the >> same counter. Even though packets don't flow between the two ports, >> data >> can be exchanged by watching changes in the packet rate. It is >> believed >> that data can be exchanged in Kb/s range this way. Setting this >> sysctl >> also prevents remote and internal observers to determine the rate of >> packet generation on the machine by watching the counter." >> > > Hi, > > Maybe there will be some new applications after this discovery. No > need > for uPnP any more. Could be nice to send text messages through > firewalls. Depends how many implement the IP ID counting the same way > like FreeBSD does ;-) > > --HPS > > _______________________________________________ > svn-src-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-src-all > To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"