From owner-freebsd-net@FreeBSD.ORG  Tue Apr 29 15:47:53 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C519837B401
	for <net@FreeBSD.org>; Tue, 29 Apr 2003 15:47:53 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1CC3843F85
	for <net@FreeBSD.org>; Tue, 29 Apr 2003 15:47:53 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h3TMlpVo044310
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <net@FreeBSD.org>; Tue, 29 Apr 2003 18:47:51 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h3TMlpPU044307;
	Tue, 29 Apr 2003 18:47:51 -0400 (EDT)
	(envelope-from wollman)
Date: Tue, 29 Apr 2003 18:47:51 -0400 (EDT)
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <200304292247.h3TMlpPU044307@khavrinen.lcs.mit.edu>
To: net@FreeBSD.org
X-Spam-Score: -6 () PATCH_UNIFIED_DIFF
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
Subject: Reducing ip_id information leakage
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2003 22:47:54 -0000

Here's a patch inspired by a recent Steve Bellovin paper.  It also
saves a bswap operation in the common case for non-TCP (non-PMTUD)
traffic.  Untested as yet, but I have great faith....

-GAWollman


Index: ip_output.c
===================================================================
RCS file: /home/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.187
diff -u -r1.187 ip_output.c
--- ip_output.c	12 Apr 2003 06:11:46 -0000	1.187
+++ ip_output.c	29 Apr 2003 22:42:55 -0000
@@ -223,17 +223,29 @@
 	pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
 
 	/*
-	 * Fill in IP header.
+	 * Fill in IP header.  If we are not allowing fragmentation,
+	 * then the ip_id field is meaningless, so send it as zero
+	 * to reduce information leakage.  Otherwise, if we are not
+	 * randomizing ip_id, then don't bother to convert it to network
+	 * byte order -- it's just a nonce.  Note that a 16-bit counter
+	 * will wrap around in less than 10 seconds at 100 Mbit/s on a
+	 * medium with MTU 1500.  See Steven M. Bellovin, "A Technique
+	 * for Counting NATted Hosts", Proc. IMW'02, available at
+	 * <http://www.research.att.com/~smb/papers/fnat.pdf>.
 	 */
 	if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
 		ip->ip_v = IPVERSION;
 		ip->ip_hl = hlen >> 2;
 		ip->ip_off &= IP_DF;
+		if (ip->ip_off)
+			ip->ip_id = 0;
+		else {
 #ifdef RANDOM_IP_ID
-		ip->ip_id = ip_randomid();
+			ip->ip_id = ip_randomid();
 #else
-		ip->ip_id = htons(ip_id++);
+			ip->ip_id = ip_id++;
 #endif
+		}
 		ipstat.ips_localout++;
 	} else {
 		hlen = ip->ip_hl << 2;