[e2e] ICMP & TCP segments with IP ID = 0?
David P. Reed
dpreed at reed.com
Thu May 17 07:18:09 PDT 2001
At 12:46 PM 5/17/01 +0200, Andi Kleen wrote:
>On Thu, May 17, 2001 at 09:04:37AM +0200, Jon Crowcroft wrote:
> > but yes, i can think of lots of optimisation/implementation reasons why
> > zeroing out a packet template once per transport+ip session
> > is faster than yet another ++ operation per packet
>The main problem is that userbase today wants secure ipid, not giving you cues
>on how many packets have been sent in a time range, because that information
>can be exploited by some theoretical and also some practical attacks.
>Generating "secure" ipid can be very costly.
I had the initial reaction of "oh, come on!" to this point. And when I
thought more, I got more upset with this sort of reasoning. Here's why, in
1. "Secure" ???? I've heard the word security misused enough times
recently that you'd think that I'd be immune to yet another. This is the
strangest use of the term security I've seen yet. It's like locking my
garage to protect my vacation house in another city. Since IPID's hardly
provide any kind of chink in a wall of protection, end-to-end (where it
counts) or at the wire level (where the press seems to get excited, but
which shouldn't bear on security much), it is hard to imagine a weakness
that is gained by reading IPID's that presents a danger in the context of
all the other "security" problems of network deployment. So I'd be able to
spoof fragments by introducing alternative fragments with the same
IPID? If I can do that, I can introduce whole packets with correct
checksums or wrong checksums or whatever, or even fragments with
non-current IPID's. This makes no sense whatever.
2. Users are demanding this? Sounds like a just-so-story. The number of
users who even know about IPID's, much less being affected by fragmentation
at all, is insignificant. I bet even John Markoff, who is a pretty well
educated "user" who deals with "cracking" issues, doesn't know, much less
care, about IPID "security". Perhaps systems programmers with time on
their hands to invent non-problems are demanding this. But I have trouble
even believing that.
Security is a typical end-to-end property (even DoS prevention is, though
the ends involved are different). These localized issues are not in
themselves the way to solve security problems. The fact that non-Linux
systems have never tried to be "IPID secure" is a tipoff that there isn't a
real problem here.
WWW Page: http://www.reed.com/dpr.html
More information about the end2end-interest