Date: Fri, 03 Apr 2015 03:38:46 +0200 From: Hans Petter Selasky <hps@selasky.org> To: "Robert N. M. Watson" <rwatson@FreeBSD.org> Cc: Mateusz Guzik <mjguzik@gmail.com>, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, src-committers@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Message-ID: <551DEF26.4000403@selasky.org> In-Reply-To: <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> References: <201504012226.t31MQedN044443@svn.freebsd.org> <1427929676.82583.103.camel@freebsd.org> <20150402123522.GC64665@FreeBSD.org> <20150402133751.GA549@dft-labs.eu> <20150402134217.GG64665@FreeBSD.org> <20150402135157.GB549@dft-labs.eu> <1427983109.82583.115.camel@freebsd.org> <20150402142318.GC549@dft-labs.eu> <20150402143420.GI64665@FreeBSD.org> <20150402153805.GD549@dft-labs.eu> <alpine.BSF.2.11.1504021657440.27263@fledge.watson.org> <551D8143.4060509@selasky.org> <551D8945.8050906@selasky.org> <8900318B-8155-4131-A0C3-3DE169782EFC@FreeBSD.org> <551D8C6C.9060504@selasky.org> <alpine.BSF.2.11.1504021939390.64391@fledge.watson.org> <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/02/15 23:20, Robert N. M. Watson wrote: > On 2 Apr 2015, at 21:54, Hans Petter Selasky <hps@selasky.org> wrote: > >> I see from the code that if two frags have the same IP offset, the whole fragment list gets dropped, unless the IP payload is zero bytes long. Maybe a "last" variable should be added? Hi Robert, > Are you solving an actual problem you've observed, or is this a speculative proposal? Yes, I saw in the FreeBSD network code that fragments having IP payload < 8 are not allowed, after writing this e-mail. > > I think you would benefit a great deal from reading Stevens Volume I (second edition) before proceeding with further changes to the TCP/IP code stack. I will order and read this book eventually. I appreciate your tip. I would like have a comment on one final issue about the IP ID field. Given two [small] prime numbers: P and Q Assume you have a firewall that separate two networks, called A and B, that are not allowed to communicate. In network A an application pings the firewall and sees the IP ID field changing P steps. In network B an application pings the firewall and sees the IP ID field changing Q steps. If the application in network A always see that the IP ID field is changing P steps, it knows the application in network B did not send any packets. If the application in network B always see that the IP ID field is changing Q steps, it knows the application in network A did not send any packets. Detecting sending and not sending packets can be used as a way of reliable duplex binary communication. I think the current and past implementation of the IP ID field in FreeBSD can be used to leak information between networks, or am I totally wrong? As long as the IP ID counters are shared between two or more secured networks, there will be a problem. Something along the lines of D2211 might be a way to solve such an information leak without too much overhead! --HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?551DEF26.4000403>