Subject: random ip_id must be configurable
To: None <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 09/11/2003 13:04:45
The traditional incrementing IP id code was recently replaced (without
discussion) with an OpenBSD-derived pseudo-random IP id.

This change was made despite the relatively recent discussion of the
technical issue, in which most (if not all) the following points came up:

 * Its not  clear to all of us that the "vulerability" to DNS requests
   is widespread,[    or that randomizing the ip_id is the best way to close it.

 * There are environments where the computational cost does not justify
  deploying this fix.

 * There are environments where the downside of reducing the (already small)
   ip_id space overwhelms the alleged security gains.

(To paraphrase an observation Bill STudenmund made in a different context:
   ``this code needs to be fast.')

I therefore intend to to make randomisation of the IP id field be a
config-time option. Personally I beleive the default should be to not
randomize; though i amo open to other suggestions, such as making it
sysctl'able (changeable at low security levels), with an
inline-function to make the test and (if using increment) return the
increnemted global; otherwise do a full function call to get a
pseudo-random IP id.