[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: scrubbing support in Netfilter
From:       Nicolas Bareil <nico () chdir ! org>
Date:       2008-05-28 7:33:31
Message-ID: 87d4n6nar8.fsf () chdir ! org
[Download RAW message or body]

Patrick McHardy <kaber@trash.net> writes:
> No, unless you're refering to the unwanted side-effects from
> defragmentation and refragmentation for IPv4. I also don't
> want to include something like this in netfilter, NAT is
> already bad enough and the threats it *might* protect against
> seem a bit vague. Better throw your broken IDS out if can
> be fooled by changing TTLs.

Indeed, you're totally right : in an ideal world, it should be useless
and avoided, but there are cases where you need "a workaround" because
you have some legacy equipement, broken IDS, broken TCP/IP stack, etc.

> I don't want to sound too discouraging though, I have no problem
> adding it to the pom-ng sources.list.

No problem, if you feel it better fits there, I'm ok with that.

> I assume its a random offset per connection, but still, no.
> You can also still distinguish different hosts by their clock
> rates.

What do you mean precisely ? Variation of the TCP Timestamp ?  TCP
retransmission mechanisms ?

Thanks

-- 
Nicolas Bareil                                  http://chdir.org/~nico/
OpenPGP=0xAE4F7057 Fingerprint=34DB22091049FB2F33E6B71580F314DAAE4F7057

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]