From owner-freebsd-net@FreeBSD.ORG  Sat Apr  4 18:23:34 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 97179304;
 Sat,  4 Apr 2015 18:23:34 +0000 (UTC)
Received: from mail.turbocat.net (mail.turbocat.net
 [IPv6:2a01:4f8:d16:4514::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4EFC88F3;
 Sat,  4 Apr 2015 18:23:34 +0000 (UTC)
Received: from laptop015.home.selasky.org
 (cm-176.74.213.204.customer.telag.net [176.74.213.204])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.turbocat.net (Postfix) with ESMTPSA id 000391FE022;
 Sat,  4 Apr 2015 20:23:31 +0200 (CEST)
Message-ID: <55202C4E.1010902@selasky.org>
Date: Sat, 04 Apr 2015 20:24:14 +0200
From: Hans Petter Selasky <hps@selasky.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "Robert N. M. Watson" <rwatson@FreeBSD.org>
Subject: Re: Patch to reduce use of global IP ID value(s) to avoid leaking
 information
References: <551F034A.3040402@selasky.org>
 <20150403213641.GM64665@glebius.int.ru> <551FA37B.90609@selasky.org>
 <35F9F267-EDB3-45FC-95E0-4573556BD736@freebsd.org>
 <551FF191.2090109@selasky.org> <55200A51.3090008@selasky.org>
 <C936160B-4959-42F9-9433-226AA5CC7591@FreeBSD.org>
In-Reply-To: <C936160B-4959-42F9-9433-226AA5CC7591@FreeBSD.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "emeric.poupon@stormshield.eu >> Emeric POUPON"
 <emeric.poupon@stormshield.eu>,
 "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 "Peter N. M. Hansteen" <peter@bsdly.net>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 18:23:34 -0000

Hi Robert,

On 04/04/15 19:11, Robert N. M. Watson wrote:
> and it's not clear it will offer practical benefit nor allow the implementation to be at all efficient -- which is far more important to most FreeBSD users

Then what Putin stated public last year is absolutely true:

http://www.theguardian.com/world/2014/apr/24/vladimir-putin-web-breakup-internet-cia

The IPv4 protocol was intentionally designed to be such, that in any 
ways trying to make it more secure, will require additional CPU 
overhead, like keeping track of 2-tuples for generating per-stream IP 
IDs, that it will not be feasible in practice and then vendors will do 
insecure implementations instead of secure implementations to get the 
needed performance. The IP ID field was then intentionally designed to 
be too small, 16-bit. If Snowden leaks documents on this, would for sure 
confirm this claim.

OK, Robert, I fully understand and will not touch this issue any more 
before my head gets cut off :-) I appreciate your openness and 
willingness to share information on this issue. You know the IPv4 
history even before I came to this world.

--HPS