From owner-freebsd-security  Thu Apr 12 11:34: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP id 7747237B423
	for <freebsd-security@freebsd.org>; Thu, 12 Apr 2001 11:33:54 -0700 (PDT)
	(envelope-from wes@softweyr.com)
Received: from [127.0.0.1] (helo=softweyr.com ident=952ea59baff6d70c65a9c19200e6278a)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14nljw-0000JJ-00; Thu, 12 Apr 2001 12:22:44 -0600
Message-ID: <3AD5F274.547D0350@softweyr.com>
Date: Thu, 12 Apr 2001 12:22:44 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Silbersack <silby@silby.com>
Cc: Rob Simmons <rsimmons@wlcg.com>,
	Mark T Roberts <newsletter@marktroberts.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: non-random IP IDs
References: <Pine.BSF.4.31.0104121046150.3325-100000@achilles.silby.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mike Silbersack wrote:
> 
> On Thu, 12 Apr 2001, Rob Simmons wrote:
> 
> > On Thu, 12 Apr 2001, Mike Silbersack wrote:
> >
> > > Each IP packet sent has with it a 16-bit ID.  The numbers must remain
> > > unique over a short period of time so fragmentation can work properly.  As
> > > such, everything except recent openbsds simple increments the id by 1 for
> > > each packet sent out.
> >
> > What is the behavior of OpenBSD for this?  If its not important, why would
> > they change it?
> 
> They generate pseudo-random, nonrepeating ids.  For the actual algorithm,
> see:
> 
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=openbsd
> 
> Although it's nice in theory, the amount of work required to generate the
> ids seems too great to justify for each packet sent.  (Note that I said
> "seems", I'm not sure if anyone has done actual benchmarks to determine
> the actual impact.)

Just like TCP sequence numbers, non-predictable IP IDs are *supposed to* 
make it somewhat harder to insert bogus fragments into a packet stream.
If you are a router, this won't make a bit of difference in your ability
to frag a packet and stick whatever data you want into it; if you are
not a router your ability to see a fragmented packet go by and inject
other frags into it is almost non-existant anyhow, so I don't see much
value in this.  It's mostly just in fitting with the OpenBSD "deny them
everything" approach.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message