diff options
author | Kris Kennaway <kris@FreeBSD.org> | 2001-07-19 06:37:26 +0000 |
---|---|---|
committer | Kris Kennaway <kris@FreeBSD.org> | 2001-07-19 06:37:26 +0000 |
commit | e62c173e4ddf132e8b62462cca1313ded662e2eb (patch) | |
tree | 3421675622bbea5237c8d1e8e3a20439c5f0d23b | |
parent | 14ef3eb88b957dbc13d429ea5b4dd56b04aa14d0 (diff) | |
download | src-e62c173e4ddf132e8b62462cca1313ded662e2eb.tar.gz src-e62c173e4ddf132e8b62462cca1313ded662e2eb.zip |
MFC: Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP
packets. This closes a minor information leak which allows a remote
observer to determine the rate at which the machine is generating packets,
since the default behaviour is to increment a counter for each packet sent.
Notes
Notes:
svn path=/stable/4/; revision=79928
-rw-r--r-- | sys/conf/files | 1 | ||||
-rw-r--r-- | sys/conf/options | 1 | ||||
-rw-r--r-- | sys/i386/conf/LINT | 7 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 3 | ||||
-rw-r--r-- | sys/netinet/ip_mroute.c | 5 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 5 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 6 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 5 | ||||
-rw-r--r-- | sys/netinet6/ipsec.c | 4 |
9 files changed, 37 insertions, 0 deletions
diff --git a/sys/conf/files b/sys/conf/files index 540cd29e174d..6a9a60f2a355 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -795,6 +795,7 @@ netinet/in_gif.c optional gif inet netinet/igmp.c optional inet netinet/in.c optional inet #netinet/in_hostcache.c optional inet +netinet/ip_id.c optional inet netinet/in_pcb.c optional inet netinet/in_proto.c optional inet netinet/in_rmx.c optional inet diff --git a/sys/conf/options b/sys/conf/options index ccf34ef5dd48..60d23ca8dfb4 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -264,6 +264,7 @@ NETATALK opt_atalk.h PPP_BSDCOMP opt_ppp.h PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h +RANDOM_IP_ID SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT index 7611df080bd3..e6de4beba1ee 100644 --- a/sys/i386/conf/LINT +++ b/sys/i386/conf/LINT @@ -565,6 +565,13 @@ options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding options TCPDEBUG +# RANDOM_IP_ID causes the ID field in IP packets to be randomized +# instead of incremented by 1 with each packet generated. This +# option closes a minor information leak which allows remote +# observers to determine the rate of packet generation on the +# machine by watching the counter. +options RANDOM_IP_ID + # Statically Link in accept filters options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index ae9b626a2130..4a79ef0e7ee6 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -43,6 +43,7 @@ #include "opt_ipfilter.h" #include "opt_ipstealth.h" #include "opt_ipsec.h" +#include "opt_random_ip_id.h" #include <sys/param.h> #include <sys/systm.h> @@ -257,7 +258,9 @@ ip_init() maxnipq = nmbclusters / 4; ip_maxfragpackets = nmbclusters / 4; +#ifndef RANDOM_IP_ID ip_id = time_second & 0xffff; +#endif ipintrq.ifq_maxlen = ipqmaxlen; register_netisr(NETISR_IP, ipintr); diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index e3e22555f342..7cf6a6a54bd3 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -13,6 +13,7 @@ */ #include "opt_mrouting.h" +#include "opt_random_ip_id.h" #include <sys/param.h> #include <sys/systm.h> @@ -1580,7 +1581,11 @@ encap_send(ip, vifp, m) */ ip_copy = mtod(mb_copy, struct ip *); *ip_copy = multicast_encap_iphdr; +#ifdef RANDOM_IP_ID + ip_copy->ip_id = ip_randomid(); +#else ip_copy->ip_id = htons(ip_id++); +#endif ip_copy->ip_len += len; ip_copy->ip_src = vifp->v_lcl_addr; ip_copy->ip_dst = vifp->v_rmt_addr; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e3eb7247c61e..9de34c286309 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -41,6 +41,7 @@ #include "opt_ipdivert.h" #include "opt_ipfilter.h" #include "opt_ipsec.h" +#include "opt_random_ip_id.h" #include <sys/param.h> #include <sys/systm.h> @@ -209,7 +210,11 @@ ip_output(m0, opt, ro, flags, imo) if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2); ip->ip_off &= IP_DF; +#ifdef RANDOM_IP_ID + ip->ip_id = ip_randomid(); +#else ip->ip_id = htons(ip_id++); +#endif ipstat.ips_localout++; } else { hlen = IP_VHL_HL(ip->ip_vhl) << 2; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 6976f0b380e7..e7e353ee0139 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -142,7 +142,9 @@ struct route; struct sockopt; extern struct ipstat ipstat; +#ifndef RANDOM_IP_ID extern u_short ip_id; /* ip packet ctr, for ids */ +#endif extern int ip_defttl; /* default IP ttl */ extern int ipforwarding; /* ip forwarding */ extern u_char ip_protox[]; @@ -167,6 +169,10 @@ void ip_slowtimo __P((void)); struct mbuf * ip_srcroute __P((void)); void ip_stripoptions __P((struct mbuf *, struct mbuf *)); +#ifdef RANDOM_IP_ID +u_int16_t + ip_randomid __P((void)); +#endif int rip_ctloutput __P((struct socket *, struct sockopt *)); void rip_ctlinput __P((int, struct sockaddr *, void *)); void rip_init __P((void)); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 6b4e6361c683..aea9c05942d5 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -36,6 +36,7 @@ #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_random_ip_id.h" #include <sys/param.h> #include <sys/systm.h> @@ -239,7 +240,11 @@ rip_output(m, so, dst) return EINVAL; } if (ip->ip_id == 0) +#ifdef RANDOM_IP_ID + ip->ip_id = ip_randomid(); +#else ip->ip_id = htons(ip_id++); +#endif /* XXX prevent ip_output from overwriting header fields */ flags |= IP_RAWOUTPUT; ipstat.ips_rawout++; diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index b55771e519c7..dd102313f696 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -2057,7 +2057,11 @@ ipsec4_encapsulate(m, sav) ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " "leave ip_len as is (invalid packet)\n")); } +#ifdef RANDOM_IP_ID + ip->ip_id = ip_randomid(); +#else ip->ip_id = htons(ip_id++); +#endif bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |