Re: ip id numbers

[Paul Cardon <paul () moquijo com>]

dsax () syseng com wrote:
> I'm new to posting on this list although i'm a long-time lurker. I'm 
> familiar with tcp sequence number exploits. recently i've seen references 
> to non-random ip id numbers and how they can be exploited. can anyone 
> explain the difference between tcp sequence and ip id numbers?

The IP ID number is a 16-bit number in the IP header of an IP packet and 
is assigned on an individual packet basis.  It is used in support of IP 
fragment reassembly (along with the source and destination IP address 
fields) to identify which fragments are part of the same original packet.

Tcp sequence numbers are 32-bit values in the TCP header of TCP packets 
only.  TCP is a stateful protocol that deals with streams of data. 
These data streams are broken up into individual packets.  Each packet 
is assigned a sequence number that is incremented by the number of bytes 
sent in the previous packet.  Since there is no guarantee that the 
receiving host will receive packets in the same order they are sent, the 
TCP sequence number is used to reconstruct the stream in the correct order.

TCP sequencing is initiated at the source host and stream reassembly is 
performed at the destination.  IP fragmentation can happen at any 
intermediate hop in the path between source and destination where the 
packet size exceeds the MTU of the transmission medium, but the fragment 
 reassembly also occurs at the destination.

While it is rare, TCP packets may be fragmented so the individual 
packets in the stream may have to go through fragmentation reassembly at 
the IP layer before the TCP layer can reassemble the stream.

-paul