Date: Fri, 3 Apr 2015 17:28:30 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Hans Petter Selasky <hps@selasky.org> Cc: Mateusz Guzik <mjguzik@gmail.com>, src-committers@freebsd.org, Ian Lepore <ian@freebsd.org>, svn-src-all@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf Message-ID: <alpine.BSF.2.11.1504031727080.64391@fledge.watson.org> In-Reply-To: <551E8A96.6030806@selasky.org> References: <551DA5EA.1080908@selasky.org> <551DAC9E.9010303@selasky.org> <358EC58D-1F92-411E-ADEB-8072020E9EB3@FreeBSD.org> <551DEF26.4000403@selasky.org> <4B7DAA59-389F-41AE-99D8-034A7AA61C99@FreeBSD.org> <551E520E.1040708@selasky.org> <6DF5FB51-8135-4144-BD3A-6E4127A23AA7@FreeBSD.org> <551E5C38.7070203@selasky.org> <78DD67BD-621C-451D-8E30-EC9BF396716F@FreeBSD.org> <551E6E72.8050208@selasky.org> <20150403112927.GQ64665@FreeBSD.org> <551E8A96.6030806@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Apr 2015, Hans Petter Selasky wrote: > Will you mind if I rephrase that paragraph in the "inet.4" manual page from: > > "This closes a minor information leak which allows remote observers to > determine the rate of packet generation on the machine by watching the > counter." > > Into: > > "This prevents high-speed information exchange between internal and external > observers using packet frequency modulation. An outside observer can ping > the outside facing port at a fixed rate watching the counter. An inside > observer can ping the inside facing port watching the same counter. Even > though packets don't flow between the two ports, data can be exchanged by > watching changes in the packet rate. It is believed that data can be > exchanged in Kb/s range this way. Setting this sysctl also prevents remote > and internal observers to determine the rate of packet generation on the > machine by watching the counter." Yes, I think this is overly alarmist, and it suggests that other covert channels might not exist to be exploited if the knob is set -- which isn't true. We don't promise that there are no covert channels in FreeBSD, and we would be foolish if we did promise that. Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1504031727080.64391>