Subject: Re: Incremental IPID
To: David Krause <netbsd@davidkrause.com>
From: Bill Sommerfeld <sommerfeld@netbsd.org>
List: tech-net
Date: 12/31/2002 10:56:36
> There are several solutions
> including using all zeros with DF flag (Linux),
This violates the spec, and is an incomplete "solution" (you still
need something to generate them for the non-DF case).
> randomization (OpenBSD),
I'm very dubious about this unless there's a mechanism to avoid ip id
collisions (i.e., using randomized permutations/shuffling rather than
standard PRNG).
> and connection/peer-specific squences (Solaris).
ip id's can't possibly be "connection" based since port numbers are
only found in the initial fragment.
Solaris uses a destination-specific cache for ip id generation.
advantage: ip id collisions which matter become much less likely.
FUD disadvantage: Some security scanners don't notice that the ip id's
are destination-specific, and flag it as "insecure" for using
sequential ip id's.
real disadvantage: one more cache to manage/control/etc.; one more
cache replacement algorithm to design/tune; particularly worrisome for
connectionless protocols.
- Bill