Bug 195828

Summary: security/tor and security/tor-devel pkg-message for enabling random IP IDs
Product: Ports & Packages Reporter: George <george>
Component: Individual Port(s)Assignee: Brendan Fabeny <bf>
Status: Closed FIXED    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (bf)
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description George 2014-12-09 16:28:43 UTC
There is significant concern in the Tor community (torproject.org) that there is a potential weakness in Tor relays that do not randomize IP IDs.  FreeBSD by default does not enable randomized IP IDs.  Adding this to the pkg-message would provide the simple steps to enable:

For those concerned about the potential of traffic
analysis with sequential IP ID numbers, you can enable randomized IP IDs
on a running system with 'sysctl net.inet.ip.random=1'.  To maintain
this setting after reboots, add 'net.inet.ip.random=1' to /etc/sysctl.conf.
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2014-12-09 16:28:43 UTC
Auto-assigned to maintainer bf@FreeBSD.org
Comment 2 George 2014-12-09 18:05:06 UTC
Rather, it's:

net.inet.ip.random_id=1
Comment 3 commit-hook freebsd_committer freebsd_triage 2014-12-11 13:58:01 UTC
A commit references this bug:

Author: bf
Date: Thu Dec 11 13:57:33 UTC 2014
New revision: 374532
URL: https://svnweb.freebsd.org/changeset/ports/374532

Log:
  Warn about a vulnerability in the default configuration

  PR:		195828

Changes:
  head/security/tor/Makefile
  head/security/tor/files/pkg-message.in
  head/security/tor-devel/Makefile
  head/security/tor-devel/files/pkg-message.in
Comment 4 George 2014-12-11 21:45:34 UTC
Thanks.

I would be clear that AFAIK this is not a documented "vulnerability in the default configuration" as much as it's mitigation for potential traffic analysis.

Therefore, I think it might be better to word it more carefully with something like:

For those concerned about the potential of traffic
analysis with sequential IP ID numbers, you can enable randomized IP IDs
on a running FreeBSD system with 'sysctl net.inet.ip.random_id=1'.  To maintain
this setting after reboots, add 'net.inet.ip.random_id=1' to /etc/sysctl.conf.
Comment 5 Brendan Fabeny freebsd_committer freebsd_triage 2015-03-09 08:42:14 UTC
I don't think that we need quibble about the commit message -- it is a vulnerability in the sense that successful deanonymization has been demonstrated under realistic conditions.  And I don't hesitate to make a positive recommendation to use randomization -- both the upstream developers and other authorities do so as well, and nearly every tor user ought to be concerned about this.  I'll reconsider the message, since I think there ought to be a warning about exceeding ipport_randomcps. But I want to keep it short, and I am not sure that the pkg-message of a port is the best place to instruct novices on how to make a persistent sysctl setting.
Comment 6 George 2015-03-11 16:46:26 UTC
No issues from me bf@.

I hadn't read that it had been shown in practice and I didn't test it myself, although theoretically it makes sense.

Regarding where to put some of the additional comments, it's a tough question. Would a specific FreeBSD Tor man page, or a README make sense?

I agree that long pkg-messages are ugly.
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-03-30 11:58:57 UTC
A commit references this bug:

Author: bf
Date: Mon Mar 30 11:58:49 UTC 2015
New revision: 382650
URL: https://svnweb.freebsd.org/changeset/ports/382650

Log:
  update to 0.2.6.6 [1]; add another hint to the pkg-message [2]; use @sample [3];
  add CPE information [4]; update the rc-script [5]

  PR:		198710 [1], 199003 [1], 195828 [2], 198164 [3], 197493 [4], 197998 [5]

Changes:
  head/security/tor/Makefile
  head/security/tor/distinfo
  head/security/tor/files/pkg-message.in
  head/security/tor/files/tor.in
  head/security/tor/pkg-plist
  head/security/tor-devel/Makefile
  head/security/tor-devel/distinfo
  head/security/tor-devel/files/pkg-message.in