On Mon, 04 Jun 2007 22:06:25 -0400 Daniel Senie <dts@senie.com> wrote:
At 09:07 PM 6/4/2007, Jason Lewis wrote:
I figured SMB would chime in...but his research says it's not so anonymous.
The traffic load on this list is rather high; I've had to flush most of this and other threads....
Give or take NAT boxes / firewalls that specifically have features to mess with the IP ID. The SonicWALL products have, for example, a checkbox that says: "Randomize IP ID".
That's relatively new, and possibly in response to my paper; as of when I wrote it, I couldn't find any vendors that DTRT.
Some vendors apparently have taken measures to ensure methods such as monitoring IP ID are less effective. The paper notes this, and the issues with doing this.
So the "not so anonymous" statement above is really "not so anonymous, give or take the implementation of the firewall/NAT".
I suspect there are other information leaks, such as the RFC 1323 timestamps, TCP sequence numbers (for some platforms), port number allocation, etc. Many of these are (or can be) randomized on some platforms, but I don't know of any systematic analysis. I also wonder if some popular web sites' cookies embed the IP address -- possibly encrypted to them, so they can track where you are. I'm 100% that some sites do that for authenticated connections. (On the larger issue, I feel that typical NATs provide no security benefit over typical stateful packet filters. Given other issues -- traceability of attacks, impediments to end-to-end secure connections, the need for special-purpose things like STUN servers, etc. -- I could make a good case that they're a net disadvantage. But I'm on the verge of flushing this thread, so I may not see the responses....) --Steve Bellovin, http://www.cs.columbia.edu/~smb