Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Apr 2001 12:22:44 -0600
From:      Wes Peters <wes@softweyr.com>
To:        Mike Silbersack <silby@silby.com>
Cc:        Rob Simmons <rsimmons@wlcg.com>, Mark T Roberts <newsletter@marktroberts.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: non-random IP IDs
Message-ID:  <3AD5F274.547D0350@softweyr.com>
References:  <Pine.BSF.4.31.0104121046150.3325-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mike Silbersack wrote:
> 
> On Thu, 12 Apr 2001, Rob Simmons wrote:
> 
> > On Thu, 12 Apr 2001, Mike Silbersack wrote:
> >
> > > Each IP packet sent has with it a 16-bit ID.  The numbers must remain
> > > unique over a short period of time so fragmentation can work properly.  As
> > > such, everything except recent openbsds simple increments the id by 1 for
> > > each packet sent out.
> >
> > What is the behavior of OpenBSD for this?  If its not important, why would
> > they change it?
> 
> They generate pseudo-random, nonrepeating ids.  For the actual algorithm,
> see:
> 
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd
> 
> Although it's nice in theory, the amount of work required to generate the
> ids seems too great to justify for each packet sent.  (Note that I said
> "seems", I'm not sure if anyone has done actual benchmarks to determine
> the actual impact.)

Just like TCP sequence numbers, non-predictable IP IDs are *supposed to* 
make it somewhat harder to insert bogus fragments into a packet stream.
If you are a router, this won't make a bit of difference in your ability
to frag a packet and stick whatever data you want into it; if you are
not a router your ability to see a fragmented packet go by and inject
other frags into it is almost non-existant anyhow, so I don't see much
value in this.  It's mostly just in fitting with the OpenBSD "deny them
everything" approach.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD5F274.547D0350>