IPv4 Identification (IPID) fields have long been exploited in side-channel attacks—including network scanning, connection inference, and DNS cache poisoning—exposing systemic deficiencies in existing IPID selection mechanisms regarding correctness, security, and performance. Method: We introduce the first unified taxonomy of IPID selection methods, combining formal modeling, probabilistic analysis, and cross-platform empirical measurement to systematically evaluate 25 years of attack evolution and IPID implementations across mainstream operating systems. Contribution/Results: Our study identifies predictable IPID behaviors in multiple OS kernels, enabling practical side-channel exploitation. We quantify the fundamental security–performance trade-off inherent in IPID design and propose verifiable, RFC-compliant design principles that simultaneously mitigate side channels, minimize computational overhead, and preserve interoperability. The work establishes a rigorous theoretical foundation and actionable guidelines for securing IP stack implementations against IPID-based vulnerabilities.

The battle for a more secure Internet is waged on many fronts, including the most basic of networking protocols. Our focus is the IPv4 Identifier (IPID), an IPv4 header field as old as the Internet with an equally long history as an exploited side channel for scanning network properties, inferring off-path connections, and poisoning DNS caches. This article taxonomizes the 25-year history of IPID-based exploits and the corresponding changes to IPID selection methods. By mathematically analyzing these methods' correctness and security and empirically evaluating their performance, we reveal recommendations for best practice as well as shortcomings of current operating system implementations, emphasizing the value of systematic evaluations in network security.