On Fri, 3 Apr 2015, Emeric POUPON wrote:
A good ip id random would be certainly better. But the current
implementation is far from being optimized: a lock is being held inside
arc4rand, and another one for protecting the ip_id internals. We already
have contention problems with the IV generated for ESP packets. The
randomized ip id, using this implementation, is my opinion not an acceptable
solution.
Presumably, arc4random() should draw from per-CPU PRNGs to avoid contention,
which would have positive scalability effects elsewhere in the stack as well.
It is, of course, important that they be seeded independently in order to
provide different pseudo-random number sequences!
However, the point made earlier in the thread holds: I'm not convinced that
our IP ID randomisation is suitable for use given conflation of the IP ID
spaces. There's just too much chance of a collision if you are actually
seeing a lot of fragmentation with multiple 2-tuple pairs.
Robert
Regards,
Emeric
----- Mail original -----
De: "Hans Petter Selasky" <h...@selasky.org>
À: "Gleb Smirnoff" <gleb...@freebsd.org>
Cc: "Mateusz Guzik" <mjgu...@gmail.com>, "Ian Lepore" <i...@freebsd.org>,
svn-src-all@freebsd.org, src-committ...@freebsd.org, "Robert N. M. Watson" <rwat...@freebsd.org>,
svn-src-h...@freebsd.org
Envoyé: Vendredi 3 Avril 2015 15:06:51
Objet: Re: svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4
sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf
On 04/03/15 14:41, Hans Petter Selasky wrote:
On 04/03/15 13:29, Gleb Smirnoff wrote:
On Fri, Apr 03, 2015 at 12:41:54PM +0200, Hans Petter Selasky wrote:
H> "ip_do_randomid" is zero by default, and is not documented anywhere:
H>
H> grep -r ip_do_randomid share/
It is documented in inet(4).
The actual sysctl knob doesn't match the kernel symbol name, which is
allowed in sysctl(9).
Hi,
Will you mind if I rephrase that paragraph in the "inet.4" manual page
from:
"This closes a minor information leak which allows remote observers to
determine the rate of packet generation on the machine by watching the
counter."
Into:
"This prevents high-speed information exchange between internal and
external observers using packet frequency modulation. An outside
observer can ping the outside facing port at a fixed rate watching the
counter. An inside observer can ping the inside facing port watching the
same counter. Even though packets don't flow between the two ports, data
can be exchanged by watching changes in the packet rate. It is believed
that data can be exchanged in Kb/s range this way. Setting this sysctl
also prevents remote and internal observers to determine the rate of
packet generation on the machine by watching the counter."
Hi,
Maybe there will be some new applications after this discovery. No need
for uPnP any more. Could be nice to send text messages through
firewalls. Depends how many implement the IP ID counting the same way
like FreeBSD does ;-)
--HPS
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
