Date: Wed, 30 Apr 2003 16:18:51 -0400 (EDT) From: Garrett Wollman <wollman@lcs.mit.edu> To: Mike Silbersack <silby@silby.com> Cc: net@FreeBSD.org Subject: Re: Reducing ip_id information leakage Message-ID: <200304302018.h3UKIpcF055535@khavrinen.lcs.mit.edu> In-Reply-To: <20030430015609.M514@odysseus.silby.com> References: <200304292247.h3TMlpPU044307@khavrinen.lcs.mit.edu> <20030430015609.M514@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 30 Apr 2003 01:58:36 -0500 (CDT), Mike Silbersack <silby@silby.com> said: > Looks good to me, I've been contemplating doing just this for a while. > It's too bad we don't have an inexpensive function we can use for the !DF > case. I'd like to make the OpenBSD function the default for frag packets, > but it seems just too heavyweight.. What we'd really like is cheap random sequences on Z/65536Z. It is fairly trivial to generate cheap non-random sequences on that group -- there's a whole family of trivial ones, but these are easy to analyze. Ultimately I don't think it's really worth that much effort, and the DF trick, since it's normally enabled for all TCP sessions, gives us 99% of the value at 0.1% of the cost. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304302018.h3UKIpcF055535>