Date: Fri, 3 Apr 2015 15:38:38 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: Hans Petter Selasky <hps@selasky.org> Cc: Mateusz Guzik <mjguzik@gmail.com>, src-committers@freebsd.org, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, "Robert N. M. Watson" <rwatson@FreeBSD.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Message-ID: <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu> In-Reply-To: <551E906B.3010900@selasky.org> References: <551DA5EA.1080908@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org> <551E906B.3010900@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
A good ip id random would be certainly better. But the current implementation is far from being optimized: a lock is being= held inside arc4rand, and another one for protecting the ip_id internals. We already have contention problems with the IV generated for ESP packets. = The randomized ip id, using this implementation, is my opinion not an accep= table solution. Regards, Emeric ----- Mail original ----- De: "Hans Petter Selasky" <hps@selasky.org> =C3=80: "Gleb Smirnoff" <glebius@FreeBSD.org> Cc: "Mateusz Guzik" <mjguzik@gmail.com>, "Ian Lepore" <ian@freebsd.org>, sv= n-src-all@freebsd.org, src-committers@freebsd.org, "Robert N. M. Watson" <r= watson@FreeBSD.org>, svn-src-head@freebsd.org Envoy=C3=A9: Vendredi 3 Avril 2015 15:06:51 Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/= man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf On 04/03/15 14:41, Hans Petter Selasky wrote: > On 04/03/15 13:29, Gleb Smirnoff wrote: >> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote: >> H> "ip_do_randomid" is zero by default, and is not documented anywhere: >> H> >> H> grep -r ip_do_randomid share/ >> >> It is documented in inet(4). >> >> The actual sysctl knob doesn't match the kernel symbol name, which is >> allowed in sysctl(9). >> > > Hi, > > Will you mind if I rephrase that paragraph in the "inet.4" manual page > from: > > "This closes a minor information leak which allows remote observers to > determine the rate of packet generation on the machine by watching the > counter." > > Into: > > "This prevents high-speed information exchange between internal and > external observers using packet frequency modulation. An outside > observer can ping the outside facing port at a fixed rate watching the > counter. An inside observer can ping the inside facing port watching the > same counter. Even though packets don't flow between the two ports, data > can be exchanged by watching changes in the packet rate. It is believed > that data can be exchanged in Kb/s range this way. Setting this sysctl > also prevents remote and internal observers to determine the rate of > packet generation on the machine by watching the counter." > Hi, Maybe there will be some new applications after this discovery. No need=20 for uPnP any more. Could be nice to send text messages through=20 firewalls. Depends how many implement the IP ID counting the same way=20 like FreeBSD does ;-) --HPS _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?206317407.27296349.1428068318117.JavaMail.zimbra>