Re: scrubbing support in Netfilter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Nicolas Bareil <nico@chdir.org>,
	netfilter-devel@vger.kernel.org,
	Nicolas Bareil <nicolas.bareil@eads.net>
Subject: Re: scrubbing support in Netfilter
Date: Wed, 28 May 2008 06:38:47 +0200	[thread overview]
Message-ID: <483CE1D7.30408@trash.net> (raw)
In-Reply-To: <alpine.LNX.1.10.0805271729350.12937@fbirervta.pbzchgretzou.qr>

Jan Engelhardt wrote:
> On Tuesday 2008-05-27 17:12, Nicolas Bareil wrote:
>>
>> I developped a Netfilter module which performs packet normalization, the
>> "scrubbing" feature of OpenBSD[1]. Normalized trafic offers the
>> following possibilities :
>
> I seem to remember that Linux's TCP or nf_conntrack already does
> some scrubbing.

No, unless you're refering to the unwanted side-effects from
defragmentation and refragmentation for IPv4. I also don't
want to include something like this in netfilter, NAT is
already bad enough and the threats it *might* protect against
seem a bit vague. Better throw your broken IDS out if can
be fooled by changing TTLs.

I don't want to sound too discouraging though, I have no problem
adding it to the pom-ng sources.list.

>> The current patch achieves the following transformations :
>>
>> * IPv4
>>  - Random IP ID
>>  - Zeroify ToS
> 
> Zeroify? Clearing the TOS is probably not a good idea because
> it defeats packet scheduling (if it uses TOS).

Well .. ToS is only useful within your own administrative
boundaries anyways, I've seen quite a few ISPs overwriting
it during transit.

>>  - TTL normalization
>>
>> * TCP
>> - Random TCP Sequence
> 
> I wonder if Linux already has this.

For forwarded traffic? No.

> 
>> - TCP Options
>>   - Random Timestamp
> 
> Is this even RFC compatible?

I assume its a random offset per connection, but still, no.
You can also still distinguish different hosts by their clock
rates.

next prev parent reply	other threads:[~2008-05-28  4:38 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-27 15:12 scrubbing support in Netfilter Nicolas Bareil
2008-05-27 16:33 ` Jan Engelhardt
2008-05-28  4:38   ` Patrick McHardy [this message]
2008-05-28  7:33     ` Nicolas Bareil
2008-05-28  7:20   ` Nicolas Bareil
2008-05-28  7:27     ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2008-05-27 15:11 Nicolas Bareil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=483CE1D7.30408@trash.net \
    --to=kaber@trash.net \
    --cc=jengelh@medozas.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=nico@chdir.org \
    --cc=nicolas.bareil@eads.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.