From owner-svn-src-head@FreeBSD.ORG Tue Apr 7 16:42:29 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1A01FF50; Tue, 7 Apr 2015 16:42:29 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8F087A; Tue, 7 Apr 2015 16:42:27 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.9/8.14.9) with ESMTP id t37GgOLX099385 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 7 Apr 2015 19:42:24 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.9/8.14.9/Submit) id t37GgOml099384; Tue, 7 Apr 2015 19:42:24 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 7 Apr 2015 19:42:24 +0300 From: Gleb Smirnoff To: Hans Petter Selasky Subject: Re: svn commit: r281024 - head/share/man/man4 Message-ID: <20150407164223.GI64665@FreeBSD.org> References: <201504031400.t33E094r076234@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201504031400.t33E094r076234@svn.freebsd.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 16:42:29 -0000 Hans, 4 days ago I asked you to back this out, and my request was ignored. Can you please back this out now? Yes, it is an interesting stuff, but doesn't belong to the documentation. If you strongly disagree with me, I'd suggest to advocate Mike Silbersack, who is author of the code. If he agrees that additional information on covert channels is important, the text can be put back. On Fri, Apr 03, 2015 at 02:00:09PM +0000, Hans Petter Selasky wrote: H> Author: hselasky H> Date: Fri Apr 3 14:00:08 2015 H> New Revision: 281024 H> URL: https://svnweb.freebsd.org/changeset/base/281024 H> H> Log: H> Add more documentation about the "net.inet.ip.random_id" sysctl knob H> and how it can affect information flow between observers. H> H> MFC after: 1 week H> H> Modified: H> head/share/man/man4/inet.4 H> H> Modified: head/share/man/man4/inet.4 H> ============================================================================== H> --- head/share/man/man4/inet.4 Fri Apr 3 13:57:14 2015 (r281023) H> +++ head/share/man/man4/inet.4 Fri Apr 3 14:00:08 2015 (r281024) H> @@ -28,7 +28,7 @@ H> .\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93 H> .\" $FreeBSD$ H> .\" H> -.Dd April 2, 2015 H> +.Dd April 3, 2015 H> .Dt INET 4 H> .Os H> .Sh NAME H> @@ -244,10 +244,22 @@ IP datagrams (or all IP datagrams, if H> .Va ip.rfc6864 H> is disabled) to be randomized instead of incremented by 1 with each packet H> generated. H> -This closes a minor information leak which allows remote observers to H> +This prevents information exchange between any combination of two or H> +more inside and/or outside observers using packet frequency H> +modulation, PFM. H> +An outside observer can ping the outside facing port at a fixed rate H> +sampling the returned counter. H> +An inside observer can ping the inside facing port sampling the same H> +counter. H> +Even though packets don't flow directly between any of the observers H> +any single observer can influence the data rate the other observer(s) H> +is or are sampling. H> +This is done by sending more or less ping packets towards the gateway H> +per measured interval. H> +Setting this sysctl also prevents the remote and internal observers to H> determine the rate of packet generation on the machine by watching the H> counter. H> -In the same time, on high-speed links, it can decrease the ID reuse H> +At the same time, on high-speed links, it can decrease the ID reuse H> cycle greatly. H> Default is 0 (sequential IP IDs). H> IPv6 flow IDs and fragment IDs are always random. H> -- Totus tuus, Glebius.