The battle for a more secure Internet is waged on many fronts, including the most basic of networking protocols. Our focus is the IPv4 Identifier (IPID), an IPv4 header field as old as the Internet with an equally long history as an exploited side channel for scanning network properties, inferring off-path connections, and poisoning DNS caches. This article taxonomizes the 25-year history of IPID-based exploits and the corresponding changes to IPID selection methods. By mathematically analyzing these methods' correctness and security and empirically evaluating their performance, we reveal recommendations for best practice as well as shortcomings of current operating system implementations, emphasizing the value of systematic evaluations in network security.

翻译：构建更安全互联网的斗争在多条战线上展开，其中甚至包括最基础的网络协议。本文聚焦于IPv4标识符（IPID）——这一与互联网同龄的IPv4头部字段，其作为被利用侧信道的历史同样悠久，常被用于扫描网络属性、推断路径外连接及污染DNS缓存。本文对基于IPID的攻击手段的二十五年历史及相应的IPID选择方法演进进行了系统性分类。通过对这些方法的正确性与安全性进行数学分析，并结合实证研究评估其性能，我们揭示了最佳实践建议以及当前操作系统实现中存在的缺陷，从而强调了系统性评估在网络安防领域的重要价值。