Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets.

This closes a minor information leak which allows a remote observer to
determine the rate at which the machine is generating packets, since the
default behaviour is to increment a counter for each packet sent.

Reviewed by:    -net
Obtained from:  OpenBSD

3 files changed, 9 insertions, 0 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index fae6298..1485762 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -590,6 +590,13 @@ options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# RANDOM_IP_ID causes the ID field in IP packets to be randomized
+# instead of incremented by 1 with each packet generated.  This
+# option closes a minor information leak which allows remote
+# observers to determine the rate of packet generation on the
+# machine by watching the counter.
+options		RANDOM_IP_ID
+
 # Statically Link in accept filters
 options		ACCEPT_FILTER_DATA
 options		ACCEPT_FILTER_HTTP
diff --git a/sys/conf/files b/sys/conf/files
index 872cbe9..22d4cb7 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1037,6 +1037,7 @@ netinet/igmp.c		optional inet
 netinet/in.c		optional inet
 netinet/in_gif.c	optional gif inet
 #netinet/in_hostcache.c	optional inet
+netinet/ip_id.c		optional inet
 netinet/in_pcb.c	optional inet
 netinet/in_proto.c	optional inet
 netinet/in_rmx.c	optional inet
diff --git a/sys/conf/options b/sys/conf/options
index d4349c3..f6315d1 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -278,6 +278,7 @@ NETATALK		opt_atalk.h
 PPP_BSDCOMP		opt_ppp.h
 PPP_DEFLATE		opt_ppp.h
 PPP_FILTER		opt_ppp.h
+RANDOM_IP_ID
 SLIP_IFF_OPTS		opt_slip.h
 TCPDEBUG
 TCP_DROP_SYNFIN		opt_tcp_input.h