From: Jeffrey Knockel <jeffk@cs.unm.edu>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
"Jedidiah R. Crandall" <crandall@cs.unm.edu>,
Willy Tarreau <w@1wt.eu>,
"security@kernel.org" <security@kernel.org>
Subject: Re: [PATCH net] ip: make IP identifiers less predictable
Date: Fri, 25 Jul 2014 14:28:35 -0600 [thread overview]
Message-ID: <53D2BDF3.5060909@cs.unm.edu> (raw)
In-Reply-To: <1406311751.3363.95.camel@edumazet-glaptop2.roam.corp.google.com>
On 07/25/2014 12:09 PM, Eric Dumazet wrote:
> What do you mean by "an attacker who controls a large number of
> addresses" ?
In general, I mean any attacker who can read the packets sent to a large
number of different Internet addresses. Even an attacker who has one
address but can cycle through different assignments may be a problem.
> The hash(daddr) -> slot function is not known, as we use a Jenkin hash
> with a secret ( ip_idents_hashrnd & ip6_idents_hashrnd )
That's true, but the secret never changes, right? I may not be able to
identify the slot number that any address is hashed to, but I can
identify when some victim address hashes to the same slot as one of my
addresses whose packets I can read. For instance, if I in short succession
1. Probe value of the IP id counter for each of my addresses
2. Spoof a large number of (e.g.) echo requests from victim address (or
something else to the distribution that I can measure)
3. Again probe value of the IP id counter for each of my addresses
Then I can tell which of my addresses hash to the same slot as the
victim address by whose value of the IP id counter has jumped as a
result of the linux machine sending echo replies to the victim.
Jeff
next prev parent reply other threads:[~2014-07-25 20:28 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-24 8:07 [PATCH net] ip: make IP identifiers less predictable Eric Dumazet
2014-07-24 18:21 ` Linus Torvalds
2014-07-25 15:55 ` Jeffrey Knockel
2014-07-25 18:09 ` Eric Dumazet
2014-07-25 18:35 ` Linus Torvalds
2014-07-25 18:38 ` Eric Dumazet
2014-07-25 19:03 ` Willy Tarreau
2014-07-25 23:05 ` Hannes Frederic Sowa
2014-07-25 20:28 ` Jeffrey Knockel [this message]
2014-07-25 19:50 ` [PATCH v2 " Eric Dumazet
2014-07-25 19:54 ` Eric Dumazet
2014-07-25 19:57 ` Eric Dumazet
2014-07-25 22:35 ` Hannes Frederic Sowa
2014-07-26 6:51 ` Eric Dumazet
2014-07-26 12:21 ` Hannes Frederic Sowa
2014-07-26 6:58 ` [PATCH v3 " Eric Dumazet
2014-07-29 1:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D2BDF3.5060909@cs.unm.edu \
--to=jeffk@cs.unm.edu \
--cc=crandall@cs.unm.edu \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.