Date: Fri, 03 Apr 2015 10:00:22 -0400 From: "George Neville-Neil" <gnn@neville-neil.com> To: "Emeric POUPON" <emeric.poupon@stormshield.eu> Cc: Hans Petter Selasky <hps@selasky.org>, Mateusz Guzik <mjguzik@gmail.com>, src-committers@freebsd.org, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, "Robert N. M. Watson" <rwatson@FreeBSD.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Message-ID: <195BF758-2AF8-4758-9CA9-681337EE4FBF@neville-neil.com> In-Reply-To: <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu> References: <551DA5EA.1080908@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org> <551E906B.3010900@selasky.org> <206317407.27296349.1428068318117.JavaMail.zimbra@stormshield.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
OK, top post. This is a general discussion. Move to net@ and get this out of our commit mails please. Best, George On 3 Apr 2015, at 9:38, Emeric POUPON wrote: > A good ip id random would be certainly better. > But the current implementation is far from being optimized: a lock is > being held inside arc4rand, and another one for protecting the ip_id > internals. > We already have contention problems with the IV generated for ESP > packets. The randomized ip id, using this implementation, is my > opinion not an acceptable solution. > > Regards, > > Emeric > > > ----- Mail original ----- > De: "Hans Petter Selasky" <hps@selasky.org> > À: "Gleb Smirnoff" <glebius@FreeBSD.org> > Cc: "Mateusz Guzik" <mjguzik@gmail.com>, "Ian Lepore" > <ian@freebsd.org>, svn-src-all@freebsd.org, > src-committers@freebsd.org, "Robert N. M. Watson" > <rwatson@FreeBSD.org>, svn-src-head@freebsd.org > Envoyé: Vendredi 3 Avril 2015 15:06:51 > Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools > share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec > sys/netpfil/pf > > On 04/03/15 14:41, Hans Petter Selasky wrote: >> On 04/03/15 13:29, Gleb Smirnoff wrote: >>> On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote: >>> H> "ip_do_randomid" is zero by default, and is not documented >>> anywhere: >>> H> >>> H> grep -r ip_do_randomid share/ >>> >>> It is documented in inet(4). >>> >>> The actual sysctl knob doesn't match the kernel symbol name, which >>> is >>> allowed in sysctl(9). >>> >> >> Hi, >> >> Will you mind if I rephrase that paragraph in the "inet.4" manual >> page >> from: >> >> "This closes a minor information leak which allows remote observers >> to >> determine the rate of packet generation on the machine by watching >> the >> counter." >> >> Into: >> >> "This prevents high-speed information exchange between internal and >> external observers using packet frequency modulation. An outside >> observer can ping the outside facing port at a fixed rate watching >> the >> counter. An inside observer can ping the inside facing port watching >> the >> same counter. Even though packets don't flow between the two ports, >> data >> can be exchanged by watching changes in the packet rate. It is >> believed >> that data can be exchanged in Kb/s range this way. Setting this >> sysctl >> also prevents remote and internal observers to determine the rate of >> packet generation on the machine by watching the counter." >> > > Hi, > > Maybe there will be some new applications after this discovery. No > need > for uPnP any more. Could be nice to send text messages through > firewalls. Depends how many implement the IP ID counting the same way > like FreeBSD does ;-) > > --HPS > > _______________________________________________ > svn-src-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-src-all > To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?195BF758-2AF8-4758-9CA9-681337EE4FBF>