Date: Fri, 3 Apr 2015 10:31:13 +0100 From: "Robert N. M. Watson" <rwatson@FreeBSD.org> To: Hans Petter Selasky <hps@selasky.org> Cc: Mateusz Guzik <mjguzik@gmail.com>, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, src-committers@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Message-ID: <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> In-Reply-To: <551E5C38.7070203@selasky.org> References: <201504012226.t31MQedN044443@svn.freebsd.org> <1427929676.82583.103.camel@freebsd.org> <20150402123522.GC64665@FreeBSD.org> <20150402133751.GA549@dft-labs.eu> <20150402134217.GG64665@FreeBSD.org> <20150402135157.GB549@dft-labs.eu> <1427983109.82583.115.camel@freebsd.org> <20150402142318.GC549@dft-labs.eu> <20150402143420.GI64665@FreeBSD.org> <20150402153805.GD549@dft-labs.eu> <alpine.BSF.2.11.1504021657440.27263@fledge.watson.org> <551D8143.4060509@selasky.org> <551D8945.8050906@selasky.org> <8900318B-8155-4131-A0C3-3DE169782EFC@FreeBSD.org> <551D8C6C.9060504@selasky.org> <alpine.BSF.2.11.1504021939390.64391@fledge.watson.org> <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> <551DEF26.4000403@selasky.org> <4B7DAA59-389F-41AE-99D8-034A7AA61C99@FreeBSD.org> <551E520E.1040708@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 Apr 2015, at 10:24, Hans Petter Selasky <hps@selasky.org> wrote: >> Before engaging further in this conversation, and trying to modify = the behaviour of the TCP/IP stack, you need to educate yourself about = the design and history of the protocols involved. Otherwise, you're = going to repeatedly suggest ideas that are fundamentally broken, and = we're going to waste our time shooting them down when you could just = have done a bit of background reading and learned the basics of the = protocol design and implementation. >=20 > I went to wikipedia and looked up covert channel and found this: = https://www.sans.org/security-resources/idfaq/covert_chan.php >=20 > What's described there is entirely about Peer2Peer communication. What = I'm describing is broadcast for the whole system or firewall. Don't you = understand that the IP ID counter is _linearly_ adding up and feeding = back the sum to the source. It is like a radio channel for the whole = firewall. Do you know how analog modems work? I have other things to do = this easter and I don't want to spend more time with this either. I = think the people responsible in the IP-stack area should make a fix. The = IP ID must be randomized much more than it is today. What I understand is that you are uninterested in doing the basic = background reading required to have a sensible conversation about this = code, and instead you are hacking away at the code and proposing changes = without understanding the requirements. Once you've read Stevens Volume = I and the appropriate sections of the FreeBSD D+I code, we can start = talking about requirements for the IP ID code. If you want to talk about = covert channels, then you need to move beyond Wikipedia as your primary = information source, as there is an extensive literature in TCP/IP covert = and side channels. Please stop proposing changes to protocols and code = that you simply don't understand (i.e., to use different IP ID values = for different fragments of the same datagram!), and do the basic = background reading. There are real problems to solve here, and I'm = certainly open to proposals to solve them -- but it can't be done = without an awareness of the framing concerns about protocol design, = network-stack interoperability, etc. This is not an area suitable for = casual dabbling: if you want to do work in this area, you will need to = spend weeks or months coming up to speed. Robert=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78DD67BD-621C-451D-8E30-EC9BF396716F>