[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reducing ip_id information leakage



<<On Wed, 30 Apr 2003 01:58:36 -0500 (CDT), Mike Silbersack <silby_(_at_)_silby_(_dot_)_com> said:

> Looks good to me, I've been contemplating doing just this for a while.

> It's too bad we don't have an inexpensive function we can use for the !DF
> case.  I'd like to make the OpenBSD function the default for frag packets,
> but it seems just too heavyweight..

What we'd really like is cheap random sequences on Z/65536Z.  It is
fairly trivial to generate cheap non-random sequences on that group --
there's a whole family of trivial ones, but these are easy to analyze.
Ultimately I don't think it's really worth that much effort, and the
DF trick, since it's normally enabled for all TCP sessions, gives us
99% of the value at 0.1% of the cost.

-GAWollman


Visit your host, monkey.org