From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kohei OHTA <kohei@cysols.com>
Subject: Re: IP-ID field of ICMP echo request
Date: Tue, 08 Jul 2003 10:59:00 +0900
Sender: netdev-bounce@oss.sgi.com
Message-ID: <3F0A2564.6030003@cysols.com>
References: <3F095B7B.5090203@cysols.com> <1057603237.1001.18.camel@ryback>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@oss.sgi.com
Return-path: <netdev-bounce@oss.sgi.com>
To: Ulisses <ra993482@ic.unicamp.br>
In-Reply-To: <1057603237.1001.18.camel@ryback>
Errors-to: netdev-bounce@oss.sgi.com
List-Id: netdev.vger.kernel.org

Ulisses,

Thanks for your helpful information. I understood the reason.

The article pointed by you says
"Linux 2.4 also uses peer-specific IPID values (see net/ipv4/inetpeer.c)."

That is great.

Kohei.

>>I found a strange packet, which is generated by ping of Linux.
>>It is observed ID field of IP header in ping packet (Echo request) is always 0.
>>
>>I confirmed this on kernel 2.4.18 and 2.4.21.
>>My colleague also confirmed this is fixed in kernel 2.5.74.
>>
>>I hope this is fixed in next next 2.4.x release.
> 
> Hi, Kohei,
> 
> 	I guess this behaviour is to prevent Idle scanning, that is based on
> predictable IPID numbers [1]. Therefore, the Linux TCP/IP stack uses 0
> as IPID when the DF (Don't Fragment) bit is set. I'm not sure, but I
> think that Linux also uses peer-specific IPID numbers to make the
> prediction harder.
> 
> -- Ulisses
> 
> [1] http://www.insecure.org/nmap/idlescan.html
> 
> 
>