Re: CVS commit: src/sys/netinet

To: John Hawkinson <jhawk%MIT.EDU@localhost>
Subject: Re: CVS commit: src/sys/netinet
From: "Steven M. Bellovin" <smb%research.att.com@localhost>
Date: Thu, 11 Sep 2003 11:36:16 -0400

In message <20030911015148.GA7118%multics.mit.edu@localhost>, John Hawkinson 
writes:
>Steven M. Bellovin <smb%research.att.com@localhost> wrote on Tue,  9 Sep 2003
>at 07:40:55 -0400 in 
><20030909114055.1D4007B44%berkshire.research.att.com@localhost>:
>
>> >Without wanting to advocate change for the sake of change, how much
>> >sense does it make to go a step further and use a constant value in
>> >the ID field (say 0?) for all "do not fragment" packets ?
>> 
>> It makes a lot of sense, though it gives away some fingerprinting info. 
>> In fact, I believe that some Linux distributions already do just that.
>> (At least one brand of router uses 0 for link-local OSPF packets, which 
>> it knows can't be fragmented, and a counter for TCP.)
>
>I'm curious if it really buys us very much. Having consistently
>increasing ip IDs (and even different IP IDs) can be a valuable
>debugging tool.

It blocks some stealth scanning techniques, and defeats my "count the 
hosts behind a NAT" technique.  I believe that the latest ipf does the
latter when it's acting as a NAT, but it doesn't help machines that are 
behind commercial NATs.


                --Steve Bellovin, http://www.research.att.com/~smb

References:
- Re: CVS commit: src/sys/netinet
  - From: John Hawkinson

Prev by Date: CVS commit: src/sys/kern
Next by Date: re: PF_KEY socket buffer size issue
Previous by Thread: Re: CVS commit: src/sys/netinet
Next by Thread: CVS commit: src/sys/arch/x86_64/x86_64
Indexes:

Home | Main Index | Thread Index | Old Index