Subject: Re: random ip_id must be configurable
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Manuel Bouyer <firstname.lastname@example.org>
Date: 09/11/2003 22:58:44
On Thu, Sep 11, 2003 at 01:04:45PM -0700, Jonathan Stone wrote:
> The traditional incrementing IP id code was recently replaced (without
> discussion) with an OpenBSD-derived pseudo-random IP id.
> This change was made despite the relatively recent discussion of the
> technical issue, in which most (if not all) the following points came up:
> * Its not clear to all of us that the "vulerability" to DNS requests
> is widespread,[ or that randomizing the ip_id is the best way to close it.
> * There are environments where the computational cost does not justify
> deploying this fix.
> * There are environments where the downside of reducing the (already small)
> ip_id space overwhelms the alleged security gains.
> (To paraphrase an observation Bill STudenmund made in a different context:
> ``this code needs to be fast.')
> I therefore intend to to make randomisation of the IP id field be a
> config-time option. Personally I beleive the default should be to not
> randomize; though i amo open to other suggestions, such as making it
> sysctl'able (changeable at low security levels), with an
> inline-function to make the test and (if using increment) return the
> increnemted global; otherwise do a full function call to get a
> pseudo-random IP id.
I'd prefer to have it sysctl'able. I hate to have to rebuild kernel because
of an option.
Manuel Bouyer <email@example.com>
NetBSD: 24 ans d'experience feront toujours la difference