Subject: Re: CVS commit: src/sys/netinet
To: John Hawkinson <jhawk@MIT.EDU>
From: Steven M. Bellovin <smb@research.att.com>
List: source-changes
Date: 09/11/2003 11:36:16
In message <20030911015148.GA7118@multics.mit.edu>, John Hawkinson writes:
>Steven M. Bellovin <smb@research.att.com> wrote on Tue,  9 Sep 2003
>at 07:40:55 -0400 in <20030909114055.1D4007B44@berkshire.research.att.com>:
>
>> >Without wanting to advocate change for the sake of change, how much
>> >sense does it make to go a step further and use a constant value in
>> >the ID field (say 0?) for all "do not fragment" packets ?
>> 
>> It makes a lot of sense, though it gives away some fingerprinting info. 
>> In fact, I believe that some Linux distributions already do just that.
>> (At least one brand of router uses 0 for link-local OSPF packets, which 
>> it knows can't be fragmented, and a counter for TCP.)
>
>I'm curious if it really buys us very much. Having consistently
>increasing ip IDs (and even different IP IDs) can be a valuable
>debugging tool.

It blocks some stealth scanning techniques, and defeats my "count the 
hosts behind a NAT" technique.  I believe that the latest ipf does the
latter when it's acting as a NAT, but it doesn't help machines that are 
behind commercial NATs.


		--Steve Bellovin, http://www.research.att.com/~smb