Add more documentation about the "net.inet.ip.random_id" sysctl knob
and how it can affect information flow between observers. MFC after: 1 week
This commit is contained in:
parent
36725fc471
commit
7ab169a322
@ -28,7 +28,7 @@
|
||||
.\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd April 2, 2015
|
||||
.Dd April 3, 2015
|
||||
.Dt INET 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -244,10 +244,22 @@ IP datagrams (or all IP datagrams, if
|
||||
.Va ip.rfc6864
|
||||
is disabled) to be randomized instead of incremented by 1 with each packet
|
||||
generated.
|
||||
This closes a minor information leak which allows remote observers to
|
||||
This prevents information exchange between any combination of two or
|
||||
more inside and/or outside observers using packet frequency
|
||||
modulation, PFM.
|
||||
An outside observer can ping the outside facing port at a fixed rate
|
||||
sampling the returned counter.
|
||||
An inside observer can ping the inside facing port sampling the same
|
||||
counter.
|
||||
Even though packets don't flow directly between any of the observers
|
||||
any single observer can influence the data rate the other observer(s)
|
||||
is or are sampling.
|
||||
This is done by sending more or less ping packets towards the gateway
|
||||
per measured interval.
|
||||
Setting this sysctl also prevents the remote and internal observers to
|
||||
determine the rate of packet generation on the machine by watching the
|
||||
counter.
|
||||
In the same time, on high-speed links, it can decrease the ID reuse
|
||||
At the same time, on high-speed links, it can decrease the ID reuse
|
||||
cycle greatly.
|
||||
Default is 0 (sequential IP IDs).
|
||||
IPv6 flow IDs and fragment IDs are always random.
|
||||
|
Loading…
Reference in New Issue
Block a user