Subject: Re: CVS commit: src/sys/netinet
To: John Hawkinson <jhawk@MIT.EDU>
From: Steven M. Bellovin <smb@research.att.com>
List: source-changes
Date: 09/11/2003 11:36:16
In message <20030911015148.GA7118@multics.mit.edu>, John Hawkinson writes:
>Steven M. Bellovin <smb@research.att.com> wrote on Tue, 9 Sep 2003
>at 07:40:55 -0400 in <20030909114055.1D4007B44@berkshire.research.att.com>:
>
>> >Without wanting to advocate change for the sake of change, how much
>> >sense does it make to go a step further and use a constant value in
>> >the ID field (say 0?) for all "do not fragment" packets ?
>>
>> It makes a lot of sense, though it gives away some fingerprinting info.
>> In fact, I believe that some Linux distributions already do just that.
>> (At least one brand of router uses 0 for link-local OSPF packets, which
>> it knows can't be fragmented, and a counter for TCP.)
>
>I'm curious if it really buys us very much. Having consistently
>increasing ip IDs (and even different IP IDs) can be a valuable
>debugging tool.
It blocks some stealth scanning techniques, and defeats my "count the
hosts behind a NAT" technique. I believe that the latest ipf does the
latter when it's acting as a NAT, but it doesn't help machines that are
behind commercial NATs.
--Steve Bellovin, http://www.research.att.com/~smb