[Tor-BSD] random IP id thread
Carlo Strub
cs at FreeBSD.org
Fri Apr 4 08:22:04 EDT 2014
04/04/2014 03:58 - George Rosamond wrote:
> I assume others saw the thread about IP ID randomization on tor-relays.
>
> The disclosure is here:
>
> http://seclists.org/fulldisclosure/2014/Mar/414
>
> Basically, an attacker can theoretically correlate the user and the
> entry node they are using. And heck, it's bad practice anyway *not* to
> randomize IP IDs.
>
> It's default for a long while in OpenBSD, and there were multiple
> rant-talks in years past by OpenBSD devs at various cons. It was past
> due for it to be implemented, so to rant was completely logical.
>
> FreeBSD is affected, up to at least 10.x as per Pete.
>
> It is strongly recommended to set the relevant setting in /etc/sysctl.conf:
>
> net.inet.ip.random_id=1
>
> And give it a reboot... or do that plus without the reboot:
>
> sysctl net.inet.ip.random_id=1
>
> I'm still perplexed why it's not default on FreeBSD... I vaguely
> remember some compatibility issues mentioned a long while ago. I pinged
> talk@ and hopefully some FBSD dev will reply on it.
>
> Or here...
>
> g
> _______________________________________________
> A list focused on porting and running Tor software on *BSD Unix
> Tor-BSD mailing list
> Tor-BSD at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/tor-bsd
>
I don't see how IP ID randomisation would help to mitigate the traffic analysis problem in general. We all know that if an attacker controls the traffic between the exit node and the webserver plus between the user and the entry node, traffic analysis is easy. I only would see mixing and high latency as a solution (as in mixmaster, mixminion, or pond), but that would make surfing the web using tor impractical.
CS
More information about the Tor-BSD
mailing list