Tracking a Specific Machine Anywhere On The Net 470
An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
Fingerprinting (Score:5, Insightful)
This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?
Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.
Re:Fingerprinting (Score:5, Insightful)
This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.
I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.
Re:Fingerprinting (Score:5, Informative)
Let me put it this way. It is like measuring just height. If you are looking for a suspect who is 6'2", you can rule out the people who are 5'6". But if you find somebody who is 6'2", this does not make them automatically the perpetrator.
You can combine this with other techniques (line nmap). But this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.
And now that people know about this, I bet that it would be easy to put in some type of change in the linux kernal to randomize the timing values just a little. Then, you could swamp the signal with noise. Then, you are back to where you were having just nmap.
Re:Fingerprinting (Score:5, Insightful)
My question is if this clock skew can me consistantly measured across multiple OS installed on the same laptop (dual boot anyone?).
entropy (Score:4, Informative)
Re:Fingerprinting (Score:3, Insightful)
The clock skew for a particular device seemed to be reasonably constant over time and location (+/- 0.5 microsecond/sec) and nearly all devices had skews within the range -100 microseconds/sec to +100 microseconds/sec. This suggests the technique would only be useful for identification purposes when there are less than 100 or so candidate devices. Of course, this figure would go up substantially if the technique can be combine
Re:Fingerprinting (Score:5, Interesting)
However, I share one concern with you: just because my clock skew is 2.138ms doesn't preclude someone else from having the same skew. Not having had time to read the whole paper, I would like to see data on the probability that two computers may have the same clock skew. If it's 1 in 1000, that doesn't get you far considering the number of unique hosts sending packets across the ether. Also, remember this is only limited to IP protocols that can provide time data.
Re:Fingerprinting (Score:3, Insightful)
Yes, but from a law-enforcement point of view, it is very helpful to be able to eliminate members of a suspect list.
It seems to me that the main trouble is that it's
Re:Fingerprinting (Score:5, Informative)
If what the are actually measuring is the variations of the individual clock generators (crystal oscillators), those crystals have accuracies measured in PPM (parts per million). So there is not a lot of variation to measure. And the latencies would likely not be able to measured in sub-nanosecond resolution, which is what you would need in order to determine this sort of thing with the type of accuracy that you are describing.
I would imagine that it is like trying to measure the thickness of a penny with a cheap wooden ruler. Yes, you can get a number out of it. But don't expect 5 digits of resolution.
And don't forget that crystal oscillators also have variations that depend on temperature. So your computer could have one skew spec when idling, and another when you are doing some hard gaming.
Of course, I could be completely wrong about this. The article did not have quite enough details. I am making some somewhat-educated guesses here.
Don't misunderstand me though. This is cool stuff. When combined with a tool like nmap, this would give another data point. But somehow I doubt that this is the super "computer fingerprint that is made out to be. And I doubt that it could be used as evidence in a criminal trial.
Re:Fingerprinting (Score:3, Funny)
Even with a poor resolution source (I think ping can report us), when you average enough of them (millions) you can easily get nanosecond resolution.
This is incredibly accurate (Score:4, Informative)
The article linked to by slashdot does not fit the technical aptitude of many of the readers. Fortunately, it does link to the actual 15 page paper. The official page link with abstract is here [caida.org]. The full 15-page text is available in PDF. [caida.org]
With regards to your question about accuracy, here is a snippet from the actual paper(PDF)
This is an incredibly accurate and precise method of verrifying if the computer is the same.
Some people have also mentioned NTP subverting this method. Here are a coupole of key quotes about NTP.
Additionally, the method described can be used with the TCP timestamps option which
Paraphrasing, The article says that this technique can be used by websites, Carnivore-like apps, anybody between you and the computer you are communicating with, banner-ad companies and ISPs (think comcast forcing you to not use a NAT).
This is an incredible, and incredibly scary, way to track a physical computer. Doubtless, many security reform
Re:Fingerprinting (Score:3, Funny)
Re:Fingerprinting (Score:5, Insightful)
Re:Fingerprinting (Score:3, Interesting)
Aren't our current random numbers generated from the clock? If so, then adding random numbers to the timestamp won't change the essential nature of the problem will it?
Re: (Score:3, Informative)
Re:Fingerprinting (Score:3, Interesting)
No, this won't help as it changes the dispersion of the skew samples, but the mean value (that's what they measure) stays the same.
What you need to do is to make your machine clock to appear run slower or faster to the external observer. You can do that by applying constant skew offset to your true clock gradually.
For example, say clock() returns true machine clock, then
Re:Fingerprinting (Score:5, Insightful)
Re:Fingerprinting (Score:5, Interesting)
Re:Fingerprinting (Score:4, Interesting)
I know changing mine changed the rate of error on the clock.
Re:Fingerprinting (Score:3, Interesting)
Damn, just used my last mod point.
This was exactly what I was wondering. Wouldn't a simple battery swap every now and then mangle the reliability of the drift data? What about the effects of power line conditions, electromagnetic interference, etc.?
If anyone can answer, I'm genuinely curious.
Re:Fingerprinting (Score:5, Interesting)
Even easier than that - Just run an NTP server on your LAN.
RFC1323 specifies a resolution down to 1ms. Below that, the proposed fingerprinting method can't tell anything. Now, I keep one internal machine as a stratum-3 timeserver, and the rest get a feed off that directly over the local ethernet. "ntpq" -p tells me that I have (as of 22 seconds ago) a jitter of 2 to 7ms compared with the outside world. On the inside... Oooh, 0.082ms. Guess what snooping technique will reveal absolutely nothing about my LAN (or any LAN with all machines sync'ed to a common internal source)?
In general, this technique will fail absolutely miserably. The author acknowledges the non-uniqueness of time offsets, but makes the mistake of assuming a more-or-less uniform distribution within a small range of true. In reality, the distribution will fit very tightly inside the 25ms range (oddly enough, thanks to Microsoft including their hack-of-an-NTP-client in Windows XP, and having it on by default), with only one or two percent of machines straying beyond 100ms drift. If this technique can only see down to 1ms, it effectively ends up lumping somewhere around 100 million machines into 200 buckets. Not exactly what I'd call a positive ID, when even a fully-populated class-C would almost certainly result in offset collisions...
Re:Fingerprinting (Score:3, Interesting)
Nevertheless, Kohno's technique is still pretty good because it will work today on many machines, and we all know h
Re:Fingerprinting (Score:3, Interesting)
It may be possible to get much higher resolution measurements by averaging lots of samples. It's possible to measure the speed of light using 'ping' this way.
Re:Fingerprinting (Score:3, Interesting)
You can sync all you want, but unless you are syncing every few hundred nanoseconds, the rate of drift will be apparent and measurable.
Re:Fingerprinting (Score:3, Interesting)
2) Right, and older techniques to do different sorts of fingerprinting measure timestamp skew by looking at random number output instead. My point was: for any exploit there is a fix, if you care enough.
3) You mean it *is not* blocked by firewalls today. *Cannot* be blocked is nonsense. A firewall (or even a clever NAT box) can just alter the RFC 1323 TCP timestamps in the passing packets to disguise the source. It's easier than many of the tricks stateful firewa
Re:Fingerprinting (Score:2, Interesting)
I can see it now....
gLocate (beta) - Find Your Computer... Anywhere!
Firewalls? (Score:4, Interesting)
Paper and technical details are here: (Score:5, Informative)
John.
Re:Paper and technical details are here: (Score:3, Insightful)
While I don't think this would hold up as evidence in a court of law, it certainly might have some use as a covert authentication protocol, along with the other signatures noted.
With respect to privacy issues, resetting your system time via NT
Re:Paper and technical details are here: (Score:3, Informative)
Kind of. You'll need to reset to an NTP server sufficiently often that your total drift never approraches the resolution of the system's timestamp clock. No measurable drift means no measurable skew.
So if you have a system that uses a TSopt clock with 500
This can be good... (Score:5, Interesting)
Ted Tschopp
Re:This can be good... (Score:4, Insightful)
In addition, it's really of no use to mere mortals... No way is the FBI/NSA going to spend a second looking through their logs to help you catch a small-time criminal. It's only of help for those who have great political importance, and for companies who want to track you...
Re:This can be good... (Score:3, Informative)
This is really only a way to get people who are unprepared and not expecting to be snooped on.
Re:This can be good... (Score:3, Insightful)
Yep because criminals and pawnshop owners are smart enough to do those things. In a world where people still use crystal meth, I think it's safe to assume jackasses that steal the random laptop or car aren't going to swap hardware on a motherboard or run ut
read the paper (Score:5, Interesting)
He was able to identify machines even though they were using NTP. Changing the date/time won't help for the same reasons.
I'd be interested in seeing someone pointout the "quartz crystal" in a notebook. You could modify the skew by swapping some chips. The difficulty of this is not great, simply de-solder the old and solder in the new (of course, the avg slashdotter think soldering is some kind of elite skill). The cost on the other hand is another issue.
If someone were really serious, they would as other posters have mentioned, modify their kernel to use a cryptographic randomization of their skew. However, this is only useful if many people were to do it. Otherwise, you are identified as the guy with the random skew.
As for real use. If the FBI were using this to identify the computers used by the guys who craked them. They could then use their "deployed" servers to look for others with the same fingerprint. They would then have a list of suspects to work with.
Re:This can be good... (Score:3, Insightful)
Most people who steal laptops don't even reinstall the OS, and I know people who recovered their laptops using the noip client that they had on the machine (http://www.noip.com).
The thing
Re:This can be good... (Score:2)
Re:This can be good... (Score:3, Informative)
this is about determining if a computer that connects to _you_ is possibly the same.
the article of course blows the thing as to be much bigger than just that and ignores ways to defeat this.
if you just skimped it through you'd think that anyone can determine where anywhere on the net is a certain computer - which is of course ridiculous.
Dangers with licence activation (Score:5, Interesting)
Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.
From TFA, it says that:This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.
Re:Dangers with licence activation (Score:5, Insightful)
How about this though? (Score:3, Funny)
Re:How about this though? (Score:5, Insightful)
You assume incorrectly and are missing the point of this technology. Buy all the PCMCIA cards you want and you will still be able to be tracked with this technology. Essentially, it relies on "clock skewing" which means that when a CPU cycles, there are minor nano differences in the architecture of it that induce slight variations in the timing of the clock at various points throughout the CPU. When expanded out to the entire system, CPU, motherboard, peripherals, the differences become more complicated, but unique and thus easier to establish a unique signature.
Re:How about this though? (Score:2)
Not working out the math or knowing exactly what Tadayoshi has done, I cannot say for sure, but I am inclined to believe that the resulting signature would be a harmonic or some multiple of the original and still easily able to be identified by adding a function that searched possible variations along any simple modifiers.
Obligatory bash quote (Score:5, Funny)
Re:Obligatory bash quote (Score:3, Funny)
Re:Obligatory bash quote (Score:5, Funny)
So... (Score:5, Interesting)
i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.
That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.
Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?
Re:So... (Score:2)
However, it's one piece of data that can be added to other pieces of data to uniquely identify you.
Re:So... (Score:3, Interesting)
So while the idea is theoretically interesting, I'm not sure it's of any practical use.
Re:So... (Score:5, Insightful)
Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.
ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.
Easily avoidable? (Score:5, Insightful)
Re:Easily avoidable? (Score:2, Insightful)
My guess is OpenBSD will have this or a similar countermeasure pretty soon.
AH! (Score:2, Interesting)
Extremely interesting, and logical. "Microscopic" differences in hardware clock timing. One must wonder if more can be thought of. Chipset timings in nic cards... quantum tcp theory...
Your Rights Online (Score:2)
(I mean your actual rights, not the
Re:Your Rights Online (Score:2)
Wow, I hate this new fascism. Why do I bother writing this? Nobody will ever see it now that my rights on-line are gone...
Slashdot is Slipping (Score:5, Funny)
Can't you turn this off on Linux? (Score:5, Informative)
echo 0 >
Re:Can't you turn this off on Linux? (Score:5, Informative)
I believe so, and on OpenBSD:
And make the appropriate edit in /etc/sysctl.conf.
Re:Can't you turn this off on Linux? (Score:3, Interesting)
Another way to obfuscate one's self from this fingerprint technique while maintaining compliance might be to modulate your CPU clock/bus speed on a period (day/hour/minute). Under/overclock yourself to hundreds of new identities!
Re:Can't you turn this off on Linux? (Score:3, Interesting)
echo 0 >
echo 0 >
This is very true, however if you read the paper linked in the article.
TCP Timestamps option from RFC 1323 [13] whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device'
Sceptical (Score:5, Interesting)
I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.
Re:Sceptical (Score:3, Funny)
This ntp.drift file - is it in the \Windows folder, or \Documents and Settings?
Re:Sceptical (Score:4, Funny)
FORMAT C:
Also, you'll have to reboot with an MS DOS Diskette, so XP doesn't save you from yours- er... because WinXP hides that data. _
Yeah, that's it.
Re:Sceptical (Score:5, Informative)
Re:Sceptical (Score:3, Informative)
So, the way to accomplish this is by finding a non-reproducable seed value. The Intel PIII has a "hardware random number generator that uses thermal noise" as the seed. Open SSH uses PRNG to create entropy by doing such things watching timing i
My bad... (Score:2)
Oops; brain fart. ntp.drift is the wrong place to look. You have to enable statistics loging in ntp.conf.
TCP/IP stack (Score:2, Insightful)
1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.
2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible,
Either way, bye-bye Carnivore!
What about IBM's laptop anti theft stuff (Score:3, Informative)
NAT (Score:3, Interesting)
Re:NAT (Score:2, Troll)
What are you using to track? (Score:4, Interesting)
yet another smackdown for freedom (Score:3, Insightful)
counting the number of devices behind a NAT even when the devices use constant or random IP identifications
I, for one, welcome our new time-skew fingerprinting overlords.
Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one
Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.
On Linux... (Score:2)
Clocks Drift (Score:3, Interesting)
I was trying to settle an argument with a friend that I could track him on my site even if he used various proxies.
The technique only worked for a while. And then the difference tended to drift.After a few hours the visitor couldn't be recognised anymore.
I know this is a highly simplified example but wouldn't the clock drift and inaccuracies in time keeping foul up this detection eventually?
Passively obtaining the 'clock skew'/rate of drift etc across the net doesn't seem sufficiently accurate to uniquely identify a machine.
NTP and ambiant temp (Score:2)
OpenBSD (Score:2)
We need a large base of samples (Score:2)
the NSA^Wanticypher
Countermeasure (Score:2)
Changing Clock (Score:3, Interesting)
If it relies on the clock changing slowly over time, then why wouldn't it be possible to randomly change your clock time by a few milliseconds forward or back every few minutes?
Only distinguishes between 1 machine in 30 or so. (Score:3, Interesting)
Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.
NTP doesn't help (Score:5, Informative)
Please stop suggesting NTP as a "countermeasure." It doesn't help--this is repeated over and over again in the paper. As far as I can tell, turning of tcp timestamps does.
Atomic Cocks (Score:3, Interesting)
Re:Atomic Cocks (Score:3, Funny)
Open BIOS needed (Score:3, Interesting)
Course, I guess portions of the OS might not like that.
this could help free services (Score:3, Interesting)
If we could have used something like this to ban by computer, that would have been great.
Simple question: Why? (Score:4, Interesting)
Not so simple:
What is the danger to the world that an individual PC is unidentified?
Compared to that danger, is the loss of anonymous free speech worth it?
If the answer is yes, then do we ourselves get to identify the PC's of CEO's, congressmen, celebrities, and other Upper Class members? Or is anonymity reserved for those who are rich enough, famous enough, powerful enough, or connected enough to hide?
And if they get to hide, but not us, isn't the very security we buy with our freedom to be anonymous then a sham? A method of control, the way Scott Ritter the ex-Marine weapons was slimed with kiddie-porn allegations from law enforcement that were just happening to be monitoring his habits just as he was being vindicated in his proclamations that the war's justifications were fake? BTW: the charges were dropped after his cred was ruined. Nice job burning the witch, Rove. Power to monitor coupled with the power to accuse and charge is the power to silence anyone, anytime for any reason and suffer NO CONSEQUENCES. Who was charged with sliming Ritter at such a politically convenient time for the Bushites? No one. And in the future, when they come for you, no one will save you or punish your accusers. Who themselves are anonymous and untouchable.
Are YOU safe from ruin is someone monitors you 24 hours a day?
If they can justify monitoring your internet usage, or track anyone they like, the legal precedent is set to monitor anyone, anytime, for any reason or non-reason, such as political/economic personal assassination. Not just your PC. What would stop them from establishing cameras on poles in front of your house to monitor your comings and goings? Microphones? They can already "sneak and peak" with a judges rubberstamp and no subpoena. They are establishing precedent to track your car with devices planted without warrant.
The current administration is currently using security laws to crush lawsuits about the detention and torture of people taken secretly after 9/11. Tom Delay used Homeland Security, illegally, to track down the Texas Democrats last year to bring them home to force a vote to disenfranchise Texas democrats - no penalties for him, and a precedent and example was set. The security apparatus established during the hysteria is being used to crush political oppostion to the President and his party; they have shown that they are abusing their power, and care nothing that anyone knows.
The internet is the last, only hope for anonymous gatherings and free speech left in the world, and they, the amalgamate they are desperately shutting down the last means of mankind to speak to power without getting arrested or ruined for claiming their birthright.
I've not the skills to fix this technically. But we need a new communications system, asap, that is not under U.S. control or capable of being traced or monitored. I've got zilch. Is there a way of making a new pipe that CAN'T be subverted or controlled by the power mad? This is a serious question, and we may need an answer really soon.
I see some interesting uses, and limitations (Score:4, Interesting)
That said, there are some usefull things you could do with this. One example I can think of would be to detect some obfuscated scanning techniques. As an example, nmap impliments idle scanning [insecure.org], which is usually reasonably obvious because of the characteristic SYN->SYN/ACK->RST sequence, especially if the SYN and RST have different TTL's. Adding timestamp checks would make it more obvious (although, just as difficult to track down the original scanner).
Also, if someone used a decoy scan in nmap, it might be reasonably easy to tell which source addresses were really the same machine. You would probably also get enough information to construct a fairly accurate timestamp/skew profile of that machine. If you ever saw those IP addresses again, then you'd be able to check whether it was the real machine.
But, these are just my own ramblings. At the very least it seems to be interesting work (although the article linked is pretty crummy)
Can I ask a dumb question? (Score:4, Funny)
Re:Wouldn't it be easier (Score:2)
Re:Wouldn't it be easier (Score:2, Informative)
MAC ADDRESSESS ARE NOT UNIQUE TO THE INTERNET.
on a single segment local lan, yes you can be fairly sure they are unique (but not indellible)
Mac address are trivial to change, spoof , alter,randomize.
In other words:
mac based security, isn't.
Re:Wouldn't it be easier (Score:2)
Re:Wouldn't it be easier (Score:2)
MAC addresses can easily be changed or spoofed. MAC addresses also do not get sent beyond the local segment, so you won't find a computer's MAC address on any packets beyond the first router.
Re:Wouldn't it be easier (Score:2)
Not really. First you could trivially hide your computer by swapping out the NIC. New NIC = new MAC address.
And second placing your computer behind NAT hides its MAC address from anything upstream. They can only see the MAC address of the NAT device. (Which is also usually easy to change, in order to work with ISPs who attempt to lock the connection to the MAC address of
Re:Wouldn't it be easier (Score:2)
So no, tracking by MAC is completely useless outside your own LAN.
Doesn't work that way (Score:5, Informative)
A) the MAC address is available only on the last segment. Or rather, it's at the ethernet (not IP) level, and it's used to direct packets along a particular segment. It changes all the time as a packet moves through the internet, or even disappears completely if you go through an ATM cloud or some such.
B) Most (or at least many) devices allow you to change the MAC address. There are good reasons for doing this.
Re:Wouldn't it be easier (Score:2, Informative)
Re:Wouldn't it be easier (Score:2)
2. Macs can be changed by Software
Re:Wouldn't it be easier (Score:2, Insightful)
Re:for windows user (Score:4, Informative)
It doesn't help. They're not tracking time error or system time but clock skew. Essentially if clock is supposed to tick once every second, they're measuring the deviation of the clock from that ideal.
Re:Way around it... (Score:3, Informative)
In pf.conf simply add the following line:
scrub on $ext_if all reassemble tcp
and you are good to go.