Add more documentation about the "net.inet.ip.random_id" sysctl knob

and how it can affect information flow between observers.

MFC after:	1 week
This commit is contained in:
Hans Petter Selasky 2015-04-03 14:00:08 +00:00
parent 36725fc471
commit 7ab169a322

View File

@ -28,7 +28,7 @@
.\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
.Dd April 2, 2015
.Dd April 3, 2015
.Dt INET 4
.Os
.Sh NAME
@ -244,10 +244,22 @@ IP datagrams (or all IP datagrams, if
.Va ip.rfc6864
is disabled) to be randomized instead of incremented by 1 with each packet
generated.
This closes a minor information leak which allows remote observers to
This prevents information exchange between any combination of two or
more inside and/or outside observers using packet frequency
modulation, PFM.
An outside observer can ping the outside facing port at a fixed rate
sampling the returned counter.
An inside observer can ping the inside facing port sampling the same
counter.
Even though packets don't flow directly between any of the observers
any single observer can influence the data rate the other observer(s)
is or are sampling.
This is done by sending more or less ping packets towards the gateway
per measured interval.
Setting this sysctl also prevents the remote and internal observers to
determine the rate of packet generation on the machine by watching the
counter.
In the same time, on high-speed links, it can decrease the ID reuse
At the same time, on high-speed links, it can decrease the ID reuse
cycle greatly.
Default is 0 (sequential IP IDs).
IPv6 flow IDs and fragment IDs are always random.