From owner-freebsd-net@FreeBSD.ORG Tue Apr 29 23:58:48 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B5D137B401 for ; Tue, 29 Apr 2003 23:58:48 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id B2E2343F75 for ; Tue, 29 Apr 2003 23:58:47 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 95709 invoked from network); 30 Apr 2003 06:58:46 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 30 Apr 2003 06:58:46 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 30 Apr 2003 01:58:36 -0500 (CDT) From: Mike Silbersack To: Garrett Wollman In-Reply-To: <200304292247.h3TMlpPU044307@khavrinen.lcs.mit.edu> Message-ID: <20030430015609.M514@odysseus.silby.com> References: <200304292247.h3TMlpPU044307@khavrinen.lcs.mit.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: net@FreeBSD.org Subject: Re: Reducing ip_id information leakage X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 06:58:48 -0000 Looks good to me, I've been contemplating doing just this for a while. It's too bad we don't have an inexpensive function we can use for the !DF case. I'd like to make the OpenBSD function the default for frag packets, but it seems just too heavyweight.. Mike "Silby" Silbersack On Tue, 29 Apr 2003, Garrett Wollman wrote: > Here's a patch inspired by a recent Steve Bellovin paper. It also > saves a bswap operation in the common case for non-TCP (non-PMTUD) > traffic. Untested as yet, but I have great faith.... > > -GAWollman > > > Index: ip_output.c > =================================================================== > RCS file: /home/cvs/src/sys/netinet/ip_output.c,v > retrieving revision 1.187 > diff -u -r1.187 ip_output.c > --- ip_output.c 12 Apr 2003 06:11:46 -0000 1.187 > +++ ip_output.c 29 Apr 2003 22:42:55 -0000 > @@ -223,17 +223,29 @@ > pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst; > > /* > - * Fill in IP header. > + * Fill in IP header. If we are not allowing fragmentation, > + * then the ip_id field is meaningless, so send it as zero > + * to reduce information leakage. Otherwise, if we are not > + * randomizing ip_id, then don't bother to convert it to network > + * byte order -- it's just a nonce. Note that a 16-bit counter > + * will wrap around in less than 10 seconds at 100 Mbit/s on a > + * medium with MTU 1500. See Steven M. Bellovin, "A Technique > + * for Counting NATted Hosts", Proc. IMW'02, available at > + * . > */ > if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { > ip->ip_v = IPVERSION; > ip->ip_hl = hlen >> 2; > ip->ip_off &= IP_DF; > + if (ip->ip_off) > + ip->ip_id = 0; > + else { > #ifdef RANDOM_IP_ID > - ip->ip_id = ip_randomid(); > + ip->ip_id = ip_randomid(); > #else > - ip->ip_id = htons(ip_id++); > + ip->ip_id = ip_id++; > #endif > + } > ipstat.ips_localout++; > } else { > hlen = ip->ip_hl << 2; > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >