• Eric Dumazet's avatar
    ip: make IP identifiers less predictable · bf63acfd
    Eric Dumazet authored
    [ Upstream commit 04ca6973 ]
    
    In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and
    Jedidiah describe ways exploiting linux IP identifier generation to
    infer whether two machines are exchanging packets.
    
    With commit 73f156a6 ("inetpeer: get rid of ip_id_count"), we
    changed IP id generation, but this does not really prevent this
    side-channel technique.
    
    This patch adds a random amount of perturbation so that IP identifiers
    for a given destination [1] are no longer monotonically increasing after
    an idle period.
    
    Note that prandom_u32_max(1) returns 0, so if generator is used at most
    once per jiffy, this patch inserts no hole in the ID suite and do not
    increase collision probability.
    
    This is jiffies based, so in the worst case (HZ=1000), the id can
    rollover after ~65 seconds of idle time, which should be fine.
    
    We also change the hash used in __ip_select_ident() to not only hash
    on daddr, but also saddr and protocol, so that ICMP probes can not be
    used to infer information for other protocols.
    
    For IPv6, adds saddr into the hash as well, but not nexthdr.
    
    If I ping the patched target, we can see ID are now hard to predict.
    
    21:57:11.008086 IP (...)
        A > target: ICMP echo request, seq 1, length 64
    21:57:11.010752 IP (... id 2081 ...)
        target > A: ICMP echo reply, seq 1, length 64
    
    21:57:12.013133 IP (...)
        A > target: ICMP echo request, seq 2, length 64
    21:57:12.015737 IP (... id 3039 ...)
        target > A: ICMP echo reply, seq 2, length 64
    
    21:57:13.016580 IP (...)
        A > target: ICMP echo request, seq 3, length 64
    21:57:13.019251 IP (... id 3437 ...)
        target > A: ICMP echo reply, seq 3, length 64
    
    [1] TCP sessions uses a per flow ID generator not changed by this patch.
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarJeffrey Knockel <jeffk@cs.unm.edu>
    Reported-by: default avatarJedidiah R. Crandall <crandall@cs.unm.edu>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: Hannes Frederic Sowa <hannes@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    bf63acfd
route.c 86.4 KB