>	i got a couple of references on ip_id/DNS id attacks:
>
>	smb's paper on counting hosts behind NAT using ip_id.  if you use
>	non-random ip_id, number of hosts behind NAT will be revealed.

Yes.  And so what ?  This change (generating pseudo-random ones for NetBSD)
does nothing to address the problem for NAT unless it is a NetBSD box that
is being NAT'd.  IPFilter 4.0 provides an adequate knob (unlike pf) that
resolves this.

>	There is a tool that exploits sequential DNS ids blindly at:
>	http://www.packetfactory.net/Projects/zodiac/

Do you understand that attacking DNS id's is completely different
to attacking IP id's ?  In case you don't, DNS has its own 16bit
ID that goes in every request sent from a DNS client to a DNS server.
This is not in any way, shape or form, related to the IPid except
by coincidence.

>	note also freebsd and Solaris do randomize ip_id.
>http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_output.c.diff?r1=1.188&r2=1.189

Solaris randomises the ip_id huh ?  Then how come a default installation
of Solaris doesn't have randomised ip_id's ?  In case you're wondering, I
just tested Solaris-current.

Darren