On Thu, 6 Feb 2003, jolan wrote: > On Thu, Feb 06, 2003 at 12:33:25AM +0100, Dries Schellekens wrote: > > * Using a random IPidfield has its own challenges to uniqueness. While > > linear congruential generators have a maximal cycle length, such > > generators are easily cryptanalyzed. A keyed generator, as is used in > > OpenBSD and FreeBSD, provides some protection, but one needs to be careful > > to avoid duplication if the generator is rekeyed periodically. > > > > I guess it would be nice to implement this in PF. Perhaps in the form of a > > scrub option to randomize the IPid field (comparable to TCP state > > modulation). Scrub already provides all means of fragment reassembly, > > needed to change the IPid of fragments belonging to each other. > > Doesn't the paragraph quoted say that this is already in OpenBSD or am I > misunderstanding something?
OpenBSD hosts use random IPids. But PF doesn't rewrite IPids when NATting. So hosts behind the NAT (running a different OS) will not have randomized IPids and thus this counting trick will detect these hosts. Darren Reed pointed me out that IPFilter 4 rewrites the IPid. "Code was added to IPFilter to do it some time before that paper was released. The actual implementation has changed since then with futher discussion with the paper's author but this was after the analysis had been done so no point changing the paper." Cheers, Dries -- Dries Schellekens email: [EMAIL PROTECTED]
