Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Apr 2015 18:52:00 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r281220 - head/share/man/man4
Message-ID:  <201504071852.t37Iq0Ek088609@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: hselasky
Date: Tue Apr  7 18:52:00 2015
New Revision: 281220
URL: https://svnweb.freebsd.org/changeset/base/281220

Log:
  Just briefly mention about the dangers of non-random IP IDs.
  A full in depth explanation belongs somewhere else.
  
  Suggested by:	gleb @
  MFC after:	1 week

Modified:
  head/share/man/man4/inet.4

Modified: head/share/man/man4/inet.4
==============================================================================
--- head/share/man/man4/inet.4	Tue Apr  7 18:14:01 2015	(r281219)
+++ head/share/man/man4/inet.4	Tue Apr  7 18:52:00 2015	(r281220)
@@ -28,7 +28,7 @@
 .\"     From: @(#)inet.4	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd April 3, 2015
+.Dd April 7, 2015
 .Dt INET 4
 .Os
 .Sh NAME
@@ -244,21 +244,9 @@ IP datagrams (or all IP datagrams, if
 .Va ip.rfc6864
 is disabled) to be randomized instead of incremented by 1 with each packet
 generated.
-This prevents information exchange between any combination of two or
-more inside and/or outside observers using packet frequency
-modulation, PFM.
-An outside observer can ping the outside facing port at a fixed rate
-sampling the returned counter.
-An inside observer can ping the inside facing port sampling the same
-counter.
-Even though packets don't flow directly between any of the observers
-any single observer can influence the data rate the other observer(s)
-is or are sampling.
-This is done by sending more or less ping packets towards the gateway
-per measured interval.
-Setting this sysctl also prevents the remote and internal observers to
-determine the rate of packet generation on the machine by watching the
-counter.
+This prevents IP IDs being abused as a covert channel and also closes
+a minor information leak which allows remote observers to determine
+the rate of packet generation on the machine by watching the counter.
 At the same time, on high-speed links, it can decrease the ID reuse
 cycle greatly.
 Default is 0 (sequential IP IDs).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504071852.t37Iq0Ek088609>