What kind of methods are used to calculate IP ID fields?


I'm doing a bit of research on the methods of generating the ID field of the IP headers.

I have read the sources and other documents and have confirmed that Linux generates a random number for every peer (IP) it communicates with, and then it increments the ID by 1 for subsequent IP packets it sends to that peer.

My question is, do you know the reasons/methods behind this behavior? Why track the peers the kernel has talked to (with the memory and CPU time needed for all that stuff)?

I have started this research because I'm playing a bit with idle scan techniques.

References with more detail are preferred.


Posted 2013-03-21T15:06:12.847

Reputation: 11



When your computer talks to a peer computer (or even a "remote" server), and then receives a response from that peer or remote computer, it is not enough to know WHO that response that came from. You also need to know which conversation is being responded to.

Over time, and at any given time, you may have multiple conversations open between your computer and another peer computer (or more than one computer). You may have requested a variety of information in a mix of the same or different protocols. Some requests may take (much) longer to respond to than others. The responses to those requests are asynchronous, and will not be received in the same or in any predictable order. Some requests may receive multiple responses.

This all needs to be tracked so when a response is received, it can be identified as to which "conversation" it belongs to.

I couldn't find a specific reference to this for the case you described, but it is similar to how IMAP expects a client to provide a "tag" that is typically incremented with each new "command". For this, and I suspect in the case you are asking about, there is no requirement to "increment" the tag with each use (and so, no references are likely to be found). The only requirement is that the tag be unique for each use. Starting with a unique string (or number), and then incrementing it with each use insures it is unique, without having to specifically remember which "tags" have already been used. (IMAP RFC 3501:Section 2.2.1).

Kevin Fegan

Posted 2013-03-21T15:06:12.847

Reputation: 4 077

I believe that port numbers provide the disambiguation that you are talking about. – Scott – 2013-03-21T18:58:33.107

@Scott - You might have multiple conversations to the same peer/server open at the same time, on the same port. For example, 2 (or more) SSH sessions open on the same server using the same port number (default-port 22), or 2 (or more) browser windows/tabs open on the same server also using the same port number (default-port 80), at the same time. – Kevin Fegan – 2013-03-21T19:22:21.900

Yes, but they will *always* have different port numbers on the client side.  (You know, those numbers above 1000 that the OS assigns automatically.) – Scott – 2013-03-21T19:32:21.827


The sequence number (see RFC 6528) should be unguessable for somebody that doesn't have access to the data stream (some attacks, notably the famous one by Mitnick, are based on guessing it and impersonating the counterpart). That is why Linux uses a true random number here. Other operating systems are much sloppier, nmap checks how carefully they do it (and probably includes an extensive database on how systems do it). That there isn't a reliable source of random numbers is specially troubling in machines like WiFi routers.

(Yes, this sort of vulnerability has been known and been warned against since the very first versions of TCP; yes, in their infinite lazyness many operating system/network stack writers just used a fixed one, or incremented it regularly, or something equally "intelligent", mostly for the sake of "performance".)


Posted 2013-03-21T15:06:12.847

Reputation: 2 083

Thanks @vonbrand, I already knew the reason for using random numbers with this kind of fields (IP's ID, TCP's sequence number...), but thanks for the explanations and the references.

Even though, I still have the main doubt. Even with Linux using a true random numbers for the first packet in a "connection", why does Linux use guessable numbers from that point? Isn't it a security issue? – Ole – 2013-04-02T09:15:50.467