> On Fri, Sep 12, 2003 at 11:04:36PM -0000, Darren Reed wrote:
> > >	i got a couple of references on ip_id/DNS id attacks:
> > >
> > >	smb's paper on counting hosts behind NAT using ip_id.  if you use
> > >	non-random ip_id, number of hosts behind NAT will be revealed.
> > 
> > Yes.  And so what ?  This change (generating pseudo-random ones for NetBSD)
> > does nothing to address the problem for NAT unless it is a NetBSD box that
> > is being NAT'd.  IPFilter 4.0 provides an adequate knob (unlike pf) that
> > resolves this.
> 
> huh?
> we have a knob for that in pf since at least 6 months.

Yup.

> am I missing something or do you?

How would I know what you're missing?  I do know I'm not in this instance.