Subject: random ip_id must be configurable
To: None <firstname.lastname@example.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
Date: 09/11/2003 13:04:45
The traditional incrementing IP id code was recently replaced (without
discussion) with an OpenBSD-derived pseudo-random IP id.
This change was made despite the relatively recent discussion of the
technical issue, in which most (if not all) the following points came up:
* Its not clear to all of us that the "vulerability" to DNS requests
is widespread,[ or that randomizing the ip_id is the best way to close it.
* There are environments where the computational cost does not justify
deploying this fix.
* There are environments where the downside of reducing the (already small)
ip_id space overwhelms the alleged security gains.
(To paraphrase an observation Bill STudenmund made in a different context:
``this code needs to be fast.')
I therefore intend to to make randomisation of the IP id field be a
config-time option. Personally I beleive the default should be to not
randomize; though i amo open to other suggestions, such as making it
sysctl'able (changeable at low security levels), with an
inline-function to make the test and (if using increment) return the
increnemted global; otherwise do a full function call to get a
pseudo-random IP id.