From owner-svn-src-head@FreeBSD.ORG Fri Apr 3 16:28:31 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D502EAE7; Fri, 3 Apr 2015 16:28:31 +0000 (UTC) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id A3028F6D; Fri, 3 Apr 2015 16:28:31 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id 0CF6946BA7; Fri, 3 Apr 2015 12:28:31 -0400 (EDT) Date: Fri, 3 Apr 2015 17:28:30 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Hans Petter Selasky Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf In-Reply-To: <551E8A96.6030806@selasky.org> Message-ID: References: <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> <551DEF26.4000403@selasky.org> <4B7DAA59-389F-41AE-99D8-034A7AA61C99@FreeBSD.org> <551E520E.1040708@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mateusz Guzik , src-committers@freebsd.org, Ian Lepore , svn-src-all@freebsd.org, Gleb Smirnoff , svn-src-head@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 16:28:32 -0000 On Fri, 3 Apr 2015, Hans Petter Selasky wrote: > Will you mind if I rephrase that paragraph in the "inet.4" manual page from: > > "This closes a minor information leak which allows remote observers to > determine the rate of packet generation on the machine by watching the > counter." > > Into: > > "This prevents high-speed information exchange between internal and external > observers using packet frequency modulation. An outside observer can ping > the outside facing port at a fixed rate watching the counter. An inside > observer can ping the inside facing port watching the same counter. Even > though packets don't flow between the two ports, data can be exchanged by > watching changes in the packet rate. It is believed that data can be > exchanged in Kb/s range this way. Setting this sysctl also prevents remote > and internal observers to determine the rate of packet generation on the > machine by watching the counter." Yes, I think this is overly alarmist, and it suggests that other covert channels might not exist to be exploited if the knob is set -- which isn't true. We don't promise that there are no covert channels in FreeBSD, and we would be foolish if we did promise that. Robert