[e2e] ICMP & TCP segments with IP ID = 0?

David P. Reed dpreed at reed.com
Thu May 17 07:18:09 PDT 2001

At 12:46 PM 5/17/01 +0200, Andi Kleen wrote:
>On Thu, May 17, 2001 at 09:04:37AM +0200, Jon Crowcroft wrote:
> > but yes, i can think of lots of optimisation/implementation reasons why
> > zeroing out a packet template once per transport+ip session
> > is faster than yet another ++ operation per packet
>The main problem is that userbase today wants secure ipid, not giving you cues
>on how many packets have been sent in a time range, because that information
>can be exploited by some theoretical and also some practical attacks.
>Generating "secure" ipid can be very costly.

I had the initial reaction of "oh, come on!" to this point.  And when I 
thought more, I got more upset with this sort of reasoning.  Here's why, in 
a nutshell.

1. "Secure" ????  I've heard the word security misused enough times 
recently that you'd think that I'd be immune to yet another.  This is the 
strangest use of the term security I've seen yet.  It's like locking my 
garage to protect my vacation house in another city.  Since IPID's hardly 
provide any kind of chink in a wall of protection, end-to-end (where it 
counts) or at the wire level (where the press seems to get excited, but 
which shouldn't bear on security much), it is hard to imagine a weakness 
that is gained by reading IPID's that presents a danger in the context of 
all the other "security" problems of network deployment.  So I'd be able to 
spoof fragments by introducing alternative fragments with the same 
IPID?  If I can do that, I can introduce whole packets with correct 
checksums or wrong checksums or whatever, or even fragments with 
non-current IPID's.  This makes no sense whatever.

2. Users are demanding this?  Sounds like a just-so-story.  The number of 
users who even know about IPID's, much less being affected by fragmentation 
at all, is insignificant.  I bet even John Markoff, who is a pretty well 
educated "user" who deals with "cracking" issues, doesn't know, much less 
care, about IPID "security".  Perhaps systems programmers with time on 
their hands to invent non-problems are demanding this.  But I have trouble 
even believing that.

Security is a typical end-to-end property (even DoS prevention is, though 
the ends involved are different).  These localized issues are not in 
themselves the way to solve security problems.  The fact that non-Linux 
systems have never tried to be "IPID secure" is a tipoff that there isn't a 
real problem here.

- David
WWW Page: http://www.reed.com/dpr.html

More information about the end2end-interest mailing list