diff options
| author | kris <kris@FreeBSD.org> | 2001-06-01 10:02:28 +0000 |
|---|---|---|
| committer | kris <kris@FreeBSD.org> | 2001-06-01 10:02:28 +0000 |
| commit | e1524eb20ca44614d4942a0b92929a02e67dce44 (patch) | |
| tree | 9bd8aa0fc8cabc5d0cc01510f30e42d4a12277e2 /sys/netinet6/ipsec.c | |
| parent | 83f8b7087fd25f91158a6a096fad46b33b513773 (diff) | |
| download | FreeBSD-src-e1524eb20ca44614d4942a0b92929a02e67dce44.zip FreeBSD-src-e1524eb20ca44614d4942a0b92929a02e67dce44.tar.gz | |
Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets.
This closes a minor information leak which allows a remote observer to
determine the rate at which the machine is generating packets, since the
default behaviour is to increment a counter for each packet sent.
Reviewed by: -net
Obtained from: OpenBSD
Diffstat (limited to 'sys/netinet6/ipsec.c')
| -rw-r--r-- | sys/netinet6/ipsec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 8715cfc..b8a2447 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -2045,7 +2045,11 @@ ipsec4_encapsulate(m, sav) ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " "leave ip_len as is (invalid packet)\n")); } +#ifdef RANDOM_IP_ID + ip->ip_id = ip_randomid(); +#else ip->ip_id = htons(ip_id++); +#endif bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, |
