From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ulisses <ra993482@ic.unicamp.br>
Subject: Re: IP-ID field of ICMP echo request
Date: 07 Jul 2003 15:40:36 -0300
Sender: netdev-bounce@oss.sgi.com
Message-ID: <1057603237.1001.18.camel@ryback>
References: <3F095B7B.5090203@cysols.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Cc: netdev@oss.sgi.com
Return-path: <netdev-bounce@oss.sgi.com>
To: Kohei OHTA <kohei@cysols.com>
In-Reply-To: <3F095B7B.5090203@cysols.com>
Errors-to: netdev-bounce@oss.sgi.com
List-Id: netdev.vger.kernel.org

On Mon, 2003-07-07 at 08:37, Kohei OHTA wrote:

> I found a strange packet, which is generated by ping of Linux.
> It is observed ID field of IP header in ping packet (Echo request) is always 0.
> 
> I confirmed this on kernel 2.4.18 and 2.4.21.
> My colleague also confirmed this is fixed in kernel 2.5.74.
> 
> I hope this is fixed in next next 2.4.x release.

Hi, Kohei,

	I guess this behaviour is to prevent Idle scanning, that is based on
predictable IPID numbers [1]. Therefore, the Linux TCP/IP stack uses 0
as IPID when the DF (Don't Fragment) bit is set. I'm not sure, but I
think that Linux also uses peer-specific IPID numbers to make the
prediction harder.

-- Ulisses

[1] http://www.insecure.org/nmap/idlescan.html