[e2e] Re: Question on "identification" field of IP header

Rick Jones raj at tardy.cup.hp.com
Mon Dec 16 10:49:21 PST 2002


> Thanks for the pointer. I have heard that the IP ID field is used for 
> covert channel by hackers. Apparently a rogue SSL implementation was 
> leaking session keys in the IP ID field. While not foolproof or the 
> ultimate defense, if I don't need to use the IP ID field for IP 
> datagrams with the don't fragment bit set (mostly TCP), then it may be 
> useful as an intrusion detection technique.
 
I'd be very careful fixing the IP ID - I have been told by one major
"interconnect" vendor that some of their products have ways to allow
the customer (at customers persistent request) to cause the devices to
ignore and clear the DF bit...
 
rick jones




More information about the end2end-interest mailing list