Re: [secdir] review of Updated Specification of the IPv4 ID Field

Steven Bellovin <smb@cs.columbia.edu> Sun, 01 July 2012 18:39 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1A411E80AE for <secdir@ietfa.amsl.com>; Sun, 1 Jul 2012 11:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ow2mP2QwQYNv for <secdir@ietfa.amsl.com>; Sun, 1 Jul 2012 11:39:33 -0700 (PDT)
Received: from paneer.cc.columbia.edu (paneer.cc.columbia.edu [128.59.29.4]) by ietfa.amsl.com (Postfix) with ESMTP id C393311E8093 for <secdir@ietf.org>; Sun, 1 Jul 2012 11:39:33 -0700 (PDT)
Received: from [10.9.0.170] (fireball.cs.columbia.edu [128.59.13.10]) (user=smb2132 mech=PLAIN bits=0) by paneer.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q61IdULK028005 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 1 Jul 2012 14:39:30 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <p06240800cc16315859fd@[192.1.255.188]>
Date: Sun, 1 Jul 2012 14:39:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1496F5C4-1EFC-4B69-8034-4898EC49CD1D@cs.columbia.edu>
References: <p06240800cc16315859fd@[192.1.255.188]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1278)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.4
Cc: secdir@ietf.org
Subject: Re: [secdir] review of Updated Specification of the IPv4 ID Field
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2012 18:39:34 -0000

I would add that there have been other security-relevant uses of IPid.  Hal Burch's dissertation (sorry, I don't have the precise citation handy), and I think his papers with Bill Cheswick used it to see if two different IP addresses corresponded to the same node.  The Rocketfuel paper (Spring et al., SIGCOMM 2002) did the same thing.  I seen to recall various hacks that relied on it, including to detect idle hosts.