Date: Fri, 7 Nov 2014 16:06:50 -0500 From: grarpamp <grarpamp@gmail.com> To: tor-relays@lists.torproject.org Cc: FreeBSD Net <freebsd-net@freebsd.org>, freebsd-security@freebsd.org Subject: Re: [tor-relays] FreeBSD's global IP ID (was: Platform diversity in Tor network) Message-ID: <CAD2Ti2-GGQux--7VM9X_Uw7F2EPz1=xUy0qb9qFjR08M-pSSTg@mail.gmail.com> In-Reply-To: <CAJ-VmomY34S=Lx5uNF_9%2BuSjd=74fCEFwOeo_CvSUO1qRFVH1A@mail.gmail.com> References: <CAD2Ti28BFsedyPC7VBR-Rz8c2_4CAQDnBFopnRHEX45sgqmjtA@mail.gmail.com> <20141106135228.GE3824@nymity.ch> <CAD2Ti2-eKzbU3trE0qiTDdK73hsxNGuRy7VJee52%2BWmNC5H%2BmA@mail.gmail.com> <CAJ-VmomY34S=Lx5uNF_9%2BuSjd=74fCEFwOeo_CvSUO1qRFVH1A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 7, 2014 at 11:31 AM, Adrian Chadd <adrian@freebsd.org> wrote: > ... that's .. odd. > > Let's poke the freebsd crypto and network stack people and ask. I > can't imagine why this is a problem anymore and we should default to > it being on. I don't think there's a crypto@ list, though security@ might represent. > The other thing you could do is have the tor port require > it be turned on before tor runs. That would not cover people who compile and use upstream Tor. Ideally, the Tor client could check for any system parameters it feels are critical before running, or simply delegate them and/or any parameters of lesser importance to platform specific guides on the Tor wiki. > On 7 November 2014 00:20, grarpamp <grarpamp@gmail.com> wrote: >> On Thu, Nov 6, 2014 at 8:52 AM, Philipp Winter <phw@nymity.ch> wrote: >>> >>> FreeBSD still seems to use globally incrementing IP IDs by default. >>> That's an issue as it leaks fine-grained information about how many >>> packets a relay's networking stack processes. (However, nobody >>> investigated the exact impact on Tor relays so far, which makes this a >>> FUD-heavy topic.) It looks like approximately 50 out of the 131 FreeBSD >>> relays I tested (38%) use global IP IDs. >>> >>> There's a sysctl variable called "net.inet.ip.random_id" which makes a >>> FreeBSD's IP ID behaviour random. FreeBSD relay operators should set >>> this to "1". >>> >>> Note that this issue was already discussed earlier this year in a thread >>> called "Lots of tor relays send out sequential IP IDs; please fix >>> that!". >> >> It's been default off since before it was a sysctl over a decade ago. >> Anyone know what the deal is with that? Some objection, or >> forgotten flag day, or oversight that really should be set to 1? >> https://svnweb.freebsd.org/base?view=revision&revision=133720
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2-GGQux--7VM9X_Uw7F2EPz1=xUy0qb9qFjR08M-pSSTg>