Contributed by jose on from the veen-more-cool-things-with-PF dept.
Very cool, now PF can do even more work on securing boxes behind a PF device. Be sure to test this and make sure it doesn't break anything (I think Daniel read the RFCs for a long time before making this commit)."List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Daniel HartmeierLink: CVS commitDate: 2003-02-08 20:13:20 CVSROOT: /cvs Module name: src Changes by: dhartmei@cvs.openbsd.org 2003/02/08 13:13:20 Modified files: share/man/man5 : pf.conf.5 sys/net : pfvar.h pf_norm.c sbin/pfctl : parse.y pfctl_parser.c Log message: Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@ Paper on NAT detection by Steven Bellovin "
(Comments are closed)
By Dries Schellekens () on http://www.benzedrine.cx/pf/msg01153.html
http://www.benzedrine.cx/pf/msg01153.html
Comments
By anders () on
By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html
By Shane () on
Comments
By danimal () on
Comments
By Shane () on
Comments
By zil0g () on
Comments
By jolan () on
Comments
By Anonymous Coward () on
By Dries Schellekens () on http://www.benzedrine.cx/pf/msg01165.html
By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx
But if you're NATing for several non-OpenBSD hosts which use weak id generation (like the classic 'increment by one' algorithm), your uplink (or an external host) can analyze the ids and deduce the number of hosts.
There seem to be a number of ISPs which prohibit the use of NAT in their AUPs, and IP ids would be one way for them to come to the conclusion that someone is using NAT. While I wouldn't recommend anyone to violate his ISPs AUP, I do think such policies are misguided and technically not enforcable. random-id is meant to illustrate that point. :)
There's also certain attacks basing on predictable IP ids, so randomizing ids for weak stacks has perfectly legitimate uses as well.
By Shane J Pearson () on
Do yourself a favour and read these papers before reading comments made by others. Did you hear these things at /.? /. can be a time sink and this time is much better spent anywhere else.
By Jason Dixon () jwdixon ONE at YAHOO dot com on mailto:jwdixon ONE at YAHOO dot com
-J.
By Matt () on
By Anonymous Coward () on
Bastard...
Comments
By Anonymous Coward () on
and gigabit over copper can do 10 times that - at a cost that i am almost willing to pay.
Comments
By zil0g () on
By Anonymous Coward () on
Isn't this kind of a weak move?
Comments
By djm () on
By Anonymous Coward () on
By tedu () on
there are a variety of existing protocols that rely on "STO", and where increasing obscurity is a good thing.
obscurity is not security. but security is obscurity. now ponder.
By Anonymous Coward () on
A better solution would be to replace all the weak IP ID generators with strong ones, but this is impractical. As it is, this is sort of like having a VPN concentrator.