From owner-svn-src-all@FreeBSD.ORG Tue Apr 7 18:52:01 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3138C159; Tue, 7 Apr 2015 18:52:01 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0294319C; Tue, 7 Apr 2015 18:52:01 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t37Iq0jf088610; Tue, 7 Apr 2015 18:52:00 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t37Iq0Ek088609; Tue, 7 Apr 2015 18:52:00 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201504071852.t37Iq0Ek088609@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Tue, 7 Apr 2015 18:52:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r281220 - head/share/man/man4 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 18:52:01 -0000 Author: hselasky Date: Tue Apr 7 18:52:00 2015 New Revision: 281220 URL: https://svnweb.freebsd.org/changeset/base/281220 Log: Just briefly mention about the dangers of non-random IP IDs. A full in depth explanation belongs somewhere else. Suggested by: gleb @ MFC after: 1 week Modified: head/share/man/man4/inet.4 Modified: head/share/man/man4/inet.4 ============================================================================== --- head/share/man/man4/inet.4 Tue Apr 7 18:14:01 2015 (r281219) +++ head/share/man/man4/inet.4 Tue Apr 7 18:52:00 2015 (r281220) @@ -28,7 +28,7 @@ .\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd April 3, 2015 +.Dd April 7, 2015 .Dt INET 4 .Os .Sh NAME @@ -244,21 +244,9 @@ IP datagrams (or all IP datagrams, if .Va ip.rfc6864 is disabled) to be randomized instead of incremented by 1 with each packet generated. -This prevents information exchange between any combination of two or -more inside and/or outside observers using packet frequency -modulation, PFM. -An outside observer can ping the outside facing port at a fixed rate -sampling the returned counter. -An inside observer can ping the inside facing port sampling the same -counter. -Even though packets don't flow directly between any of the observers -any single observer can influence the data rate the other observer(s) -is or are sampling. -This is done by sending more or less ping packets towards the gateway -per measured interval. -Setting this sysctl also prevents the remote and internal observers to -determine the rate of packet generation on the machine by watching the -counter. +This prevents IP IDs being abused as a covert channel and also closes +a minor information leak which allows remote observers to determine +the rate of packet generation on the machine by watching the counter. At the same time, on high-speed links, it can decrease the ID reuse cycle greatly. Default is 0 (sequential IP IDs).