Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Apr 2015 17:28:30 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Hans Petter Selasky <hps@selasky.org>
Cc:        Mateusz Guzik <mjguzik@gmail.com>, src-committers@freebsd.org, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, svn-src-head@freebsd.org
Subject:   Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf
Message-ID:  <alpine.BSF.2.11.1504031727080.64391@fledge.watson.org>
In-Reply-To: <551E8A96.6030806@selasky.org>
References:  <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> <551DEF26.4000403@selasky.org> <4B7DAA59-389F-41AE-99D8-034A7AA61C99@FreeBSD.org> <551E520E.1040708@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org>
index | next in thread | previous in thread | raw e-mail 

On Fri, 3 Apr 2015, Hans Petter Selasky wrote:

> Will you mind if I rephrase that paragraph in the "inet.4" manual page from:
>
> "This closes a minor information leak which allows remote observers to 
> determine the rate of packet generation on the machine by watching the 
> counter."
>
> Into:
>
> "This prevents high-speed information exchange between internal and external 
> observers using packet frequency modulation. An outside observer can ping 
> the outside facing port at a fixed rate watching the counter. An inside 
> observer can ping the inside facing port watching the same counter. Even 
> though packets don't flow between the two ports, data can be exchanged by 
> watching changes in the packet rate. It is believed that data can be 
> exchanged in Kb/s range this way. Setting this sysctl also prevents remote 
> and internal observers to determine the rate of packet generation on the 
> machine by watching the counter."

Yes, I think this is overly alarmist, and it suggests that other covert 
channels might not exist to be exploited if the knob is set -- which isn't 
true.  We don't promise that there are no covert channels in FreeBSD, and we 
would be foolish if we did promise that.

Robert
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1504031727080.64391>