From: Jeffrey Knockel <jeffk@cs•unm.edu>
To: Eric Dumazet <eric.dumazet@gmail•com>
Cc: Linus Torvalds <torvalds@linux-foundation•org>,
David Miller <davem@davemloft•net>,
netdev <netdev@vger•kernel.org>,
"Jedidiah R. Crandall" <crandall@cs•unm.edu>,
Willy Tarreau <w@1wt•eu>,
"security@kernel•org" <security@kernel•org>
Subject: Re: [PATCH net] ip: make IP identifiers less predictable
Date: Fri, 25 Jul 2014 14:28:35 -0600 [thread overview]
Message-ID: <53D2BDF3.5060909@cs.unm.edu> (raw)
In-Reply-To: <1406311751.3363.95.camel@edumazet-glaptop2.roam.corp.google.com>
On 07/25/2014 12:09 PM, Eric Dumazet wrote:
> What do you mean by "an attacker who controls a large number of
> addresses" ?
In general, I mean any attacker who can read the packets sent to a large
number of different Internet addresses. Even an attacker who has one
address but can cycle through different assignments may be a problem.
> The hash(daddr) -> slot function is not known, as we use a Jenkin hash
> with a secret ( ip_idents_hashrnd & ip6_idents_hashrnd )
That's true, but the secret never changes, right? I may not be able to
identify the slot number that any address is hashed to, but I can
identify when some victim address hashes to the same slot as one of my
addresses whose packets I can read. For instance, if I in short succession
1. Probe value of the IP id counter for each of my addresses
2. Spoof a large number of (e.g.) echo requests from victim address (or
something else to the distribution that I can measure)
3. Again probe value of the IP id counter for each of my addresses
Then I can tell which of my addresses hash to the same slot as the
victim address by whose value of the IP id counter has jumped as a
result of the linux machine sending echo replies to the victim.
Jeff
next prev parent reply other threads:[~2014-07-25 20:28 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-24 8:07 [PATCH net] ip: make IP identifiers less predictable Eric Dumazet
2014-07-24 18:21 ` Linus Torvalds
2014-07-25 15:55 ` Jeffrey Knockel
2014-07-25 18:09 ` Eric Dumazet
2014-07-25 18:35 ` Linus Torvalds
2014-07-25 18:38 ` Eric Dumazet
2014-07-25 19:03 ` Willy Tarreau
2014-07-25 23:05 ` Hannes Frederic Sowa
2014-07-25 20:28 ` Jeffrey Knockel [this message]
2014-07-25 19:50 ` [PATCH v2 " Eric Dumazet
2014-07-25 19:54 ` Eric Dumazet
2014-07-25 19:57 ` Eric Dumazet
2014-07-25 22:35 ` Hannes Frederic Sowa
2014-07-26 6:51 ` Eric Dumazet
2014-07-26 12:21 ` Hannes Frederic Sowa
2014-07-26 6:58 ` [PATCH v3 " Eric Dumazet
2014-07-29 1:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D2BDF3.5060909@cs.unm.edu \
--to=jeffk@cs$(echo .)unm.edu \
--cc=crandall@cs$(echo .)unm.edu \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=security@kernel$(echo .)org \
--cc=torvalds@linux-foundation$(echo .)org \
--cc=w@1wt$(echo .)eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox