[e2e] Re: Question on "identification" field of IP header

Ramesh Shankar RShankar at Novell.COM
Sat Dec 14 13:06:53 PST 2002

Thanks for the pointer. I have heard that the IP ID field is used for 
covert channel by hackers. Apparently a rogue SSL implementation was 
leaking session keys in the IP ID field. While not foolproof or the 
ultimate defense, if I don't need to use the IP ID field for IP 
datagrams with the don't fragment bit set (mostly TCP), then it may be 
useful as an intrusion detection technique.



Felix Hernandez-Campos wrote:

> Ramesh Shankar wrote:
>> If the "Don't fragment bit" is set in the IP header, what purpose 
>> does the "identification" field serve? Why can't I simply put 0 for 
>> this field in such a case? I remember coming across some e-mail chain 
>> in one of the mailing lists (TCP-IMPL, e2e, TSVWG) about this issue 
>> and the interaction with NAT. But I am not sure what came out of that 
>> discussion.
> You may want to have a look at Steve Bellovin's "A Technique for 
> Counting NATed Hosts", presented at IMW 2002. The paper discusses how 
> the IP header's ID field can be used to infer the number of hosts 
> behind a NAT box.
> Regards,
> Felix.

NOTICE: This email message is for the sole use of the intended recipient(s) and
	may contain confidential and privileged information meant for the sole
	use of the recipient(s) specified in the e-mail. Any unauthorized 
	review,	use, disclosure or distribution (including but not 
	limited to: forwarding, replying to, or including recipients not
	included in the original e-mail) without the sender's prior 
	approval is STRICTLY prohibited. If you are not the intended 
	recipient, please contact the sender by reply email and destroy 
	all copies of the original message.

More information about the end2end-interest mailing list