So, surprisingly, many OSes don't synchronize their TCP timestamp clock to their system clock, so effectively they leak the skew of that clock, even if they are synching their system clock via NTP.
I am wondering what the current behavior is for OpenBSD, and if scrubbing or any other pf function (e.g. synproxy) does anything about it. My thoughts are that scrubbing should replace any end-system timestamps in the outbound packets with OpenBSD's timestamps. This would have the benefit of making all boxes behind NAT have the same clock skew, a minor win. The best solution would be to drive the TCP clock off the system clock, so that if you synch with NTP, you don't have to worry about timestamps. A lesser win would be giving scrub the ability to remove them from packets on the way out. This would make them look like MS Windoze, which doesn't enable timestamps by default. This only need be done on the SYN if the remote end follows RFCs, but a malicious remote system could put them on ACK packets and the end system typically starts using them too (at least, that's true with Windoze). Also, does OpenBSD suffer from etherleak the way other BSDs do, or has that been fixed long ago? Any other mechanisms that might identify/fingerprint a host that aren't automatically fixed by scrubbing with the right options, or that may not be obvious from the scrub documentation? I know that you want to use min-ttl in order to hide the number of hops in your internal network before it hit the firewall, and random-id is fairly obvious; is there anything else? Would people like a manual or FAQ section on exactly what scrubbing does? I think it could use one. For example, does it block /S, F/SFRA, U/SFRAU, FUP/FUP? Nowhere in the FAQ or manual (last I checked) dealt with this at all. Opinions? Questions? -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
pgpxLaeLlAM8M.pgp
Description: PGP signature
