I think we need to make sure here that we're not passing in the same entropy that's passed in from the uint32_t *validation parameter. It might make sense to pass in IPID directly too since that's more tightly typed.

Fair, I've moved to only generating the ip_id in send.c here and passing it directly in.

Also, I changed to using random_bytes which reads from /dev/urandom, should be completely distinct from any other RNG in our code.

This does an additional extra full blown AES block encryption for every single packet, in order to produce 16 bits of IP ID. In my quick perf testing on a 10GbE box with 8 cores and netmap, this change reduces send rate from 10.44 Mp/s to 8.80 Mp/s.

Would a more lightweight PRNG make more sense here, think cyclic group like for target permutation, instead of the AES-based PRNG?

Hmm, that sounds like a significant perf. hit, thanks for running those numbers! Let me look at grabbing the last 16 bits from permutation like @zakird mentioned, I'll double-check no probe-module uses those.

fwiw, 46fac21 resolves the perf hit for me.