Date: Tue, 7 Apr 2015 19:42:24 +0300 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Hans Petter Selasky <hselasky@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r281024 - head/share/man/man4 Message-ID: <20150407164223.GI64665@FreeBSD.org> In-Reply-To: <201504031400.t33E094r076234@svn.freebsd.org> References: <201504031400.t33E094r076234@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hans, 4 days ago I asked you to back this out, and my request was ignored. Can you please back this out now? Yes, it is an interesting stuff, but doesn't belong to the documentation. If you strongly disagree with me, I'd suggest to advocate Mike Silbersack, who is author of the code. If he agrees that additional information on covert channels is important, the text can be put back. On Fri, Apr 03, 2015 at 02:00:09PM +0000, Hans Petter Selasky wrote: H> Author: hselasky H> Date: Fri Apr 3 14:00:08 2015 H> New Revision: 281024 H> URL: https://svnweb.freebsd.org/changeset/base/281024 H> H> Log: H> Add more documentation about the "net.inet.ip.random_id" sysctl knob H> and how it can affect information flow between observers. H> H> MFC after: 1 week H> H> Modified: H> head/share/man/man4/inet.4 H> H> Modified: head/share/man/man4/inet.4 H> ============================================================================== H> --- head/share/man/man4/inet.4 Fri Apr 3 13:57:14 2015 (r281023) H> +++ head/share/man/man4/inet.4 Fri Apr 3 14:00:08 2015 (r281024) H> @@ -28,7 +28,7 @@ H> .\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93 H> .\" $FreeBSD$ H> .\" H> -.Dd April 2, 2015 H> +.Dd April 3, 2015 H> .Dt INET 4 H> .Os H> .Sh NAME H> @@ -244,10 +244,22 @@ IP datagrams (or all IP datagrams, if H> .Va ip.rfc6864 H> is disabled) to be randomized instead of incremented by 1 with each packet H> generated. H> -This closes a minor information leak which allows remote observers to H> +This prevents information exchange between any combination of two or H> +more inside and/or outside observers using packet frequency H> +modulation, PFM. H> +An outside observer can ping the outside facing port at a fixed rate H> +sampling the returned counter. H> +An inside observer can ping the inside facing port sampling the same H> +counter. H> +Even though packets don't flow directly between any of the observers H> +any single observer can influence the data rate the other observer(s) H> +is or are sampling. H> +This is done by sending more or less ping packets towards the gateway H> +per measured interval. H> +Setting this sysctl also prevents the remote and internal observers to H> determine the rate of packet generation on the machine by watching the H> counter. H> -In the same time, on high-speed links, it can decrease the ID reuse H> +At the same time, on high-speed links, it can decrease the ID reuse H> cycle greatly. H> Default is 0 (sequential IP IDs). H> IPv6 flow IDs and fragment IDs are always random. H> -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150407164223.GI64665>