From owner-freebsd-net@FreeBSD.ORG  Wed Apr 30 14:35:39 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DA18637B401
	for <net@FreeBSD.org>; Wed, 30 Apr 2003 14:35:39 -0700 (PDT)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id C636843F3F
	for <net@FreeBSD.org>; Wed, 30 Apr 2003 14:35:38 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 77578 invoked from network); 30 Apr 2003 21:35:37 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 30 Apr 2003 21:35:37 -0000
X-pair-Authenticated: 209.68.2.70
Date: Wed, 30 Apr 2003 16:35:24 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Garrett Wollman <wollman@lcs.mit.edu>
In-Reply-To: <200304302018.h3UKIpcF055535@khavrinen.lcs.mit.edu>
Message-ID: <20030430162628.A3741@odysseus.silby.com>
References: <200304292247.h3TMlpPU044307@khavrinen.lcs.mit.edu>   
	<200304302018.h3UKIpcF055535@khavrinen.lcs.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: net@FreeBSD.org
Subject: Re: Reducing ip_id information leakage
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2003 21:35:40 -0000


On Wed, 30 Apr 2003, Garrett Wollman wrote:

> What we'd really like is cheap random sequences on Z/65536Z.  It is
> fairly trivial to generate cheap non-random sequences on that group --
> there's a whole family of trivial ones, but these are easy to analyze.
> Ultimately I don't think it's really worth that much effort, and the
> DF trick, since it's normally enabled for all TCP sessions, gives us
> 99% of the value at 0.1% of the cost.
>
> -GAWollman

I think that even a trivial pseudo-random sequence would be good to
implement.  With the standard ip_id++ sequence, you can precisely monitor
the number of packets sent and also determine if two IPs are shared by the
machine without any work.  Any sort of psuedo-random sequence would at
least require you to go through some work to determine any information.

I have this nagging feeling that taking most TCP sessions out of the
equation makes the obfuscation of the remaining ip_id'd packets more
important, but I can't figure out why exactly.  Do we set the DF flag on
most UDP and ICMP packets?

Mike "Silby" Silbersack