[e2e] Re: Question on "identification" field of IP header
Ramesh Shankar
RShankar at Novell.COM
Sat Dec 14 13:06:53 PST 2002
Thanks for the pointer. I have heard that the IP ID field is used for
covert channel by hackers. Apparently a rogue SSL implementation was
leaking session keys in the IP ID field. While not foolproof or the
ultimate defense, if I don't need to use the IP ID field for IP
datagrams with the don't fragment bit set (mostly TCP), then it may be
useful as an intrusion detection technique.
Thanks,
S.R.
Felix Hernandez-Campos wrote:
> Ramesh Shankar wrote:
>
>> If the "Don't fragment bit" is set in the IP header, what purpose
>> does the "identification" field serve? Why can't I simply put 0 for
>> this field in such a case? I remember coming across some e-mail chain
>> in one of the mailing lists (TCP-IMPL, e2e, TSVWG) about this issue
>> and the interaction with NAT. But I am not sure what came out of that
>> discussion.
>
>
> You may want to have a look at Steve Bellovin's "A Technique for
> Counting NATed Hosts", presented at IMW 2002. The paper discusses how
> the IP header's ID field can be used to infer the number of hosts
> behind a NAT box.
>
> Regards,
> Felix.
>
--
-------------------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information meant for the sole
use of the recipient(s) specified in the e-mail. Any unauthorized
review, use, disclosure or distribution (including but not
limited to: forwarding, replying to, or including recipients not
included in the original e-mail) without the sender's prior
approval is STRICTLY prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy
all copies of the original message.
--------------------------------------------------------------------------------
More information about the end2end-interest
mailing list