From owner-freebsd-security@FreeBSD.ORG  Tue Apr  1 22:15:17 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AF5437B401
	for <security@freebsd.org>; Tue,  1 Apr 2003 22:15:17 -0800 (PST)
Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 486D143F3F
	for <security@freebsd.org>; Tue,  1 Apr 2003 22:15:16 -0800 (PST)
	(envelope-from d.m.pick@qmul.ac.uk)
Received: from xi.css.qmw.ac.uk ([138.37.8.11])
	by mail2.qmul.ac.uk with esmtp (Exim 4.14)
	id 190bWV-0007K6-Kf; Wed, 02 Apr 2003 07:14:59 +0100
Received: from localhost ([127.0.0.1] helo=xi.css.qmw.ac.uk)
	by xi.css.qmw.ac.uk with esmtp (Exim 3.34 #1)
	id 190bWV-0009rF-00; Wed, 02 Apr 2003 07:14:59 +0100
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: richard childers / kg6hac <fscked@pacbell.net>
In-reply-to: Your message of "Tue, 01 Apr 2003 14:41:34 -0800."
             <3E8A159E.382DC088@pacbell.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 02 Apr 2003 07:14:59 +0100
From: David Pick <d.m.pick@qmul.ac.uk>
Message-Id: <E190bWV-0009rF-00@xi.css.qmw.ac.uk>
X-Sender-Host-Address: 138.37.8.11
X-Mailman-Approved-At: Tue, 01 Apr 2003 22:18:03 -0800
cc: security@FreeBSD.ORG
Subject: Re: rfc3514 - Security Flag in the IPv4 Header 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2003 06:15:17 -0000


> Any chance this is an April Fool's joke?

The idea is sound and brilliant in concept.

> Inquiring minds see a real snakepit involved in applications
> setting and honoring a bit that conveys dishonorable
> intentions.   /-:

I think it's unfortunate that someone as well respected as
Stephen Bellovin should fall prey to an obvious trap. One
might very well think that it really doesn't matter which
way a bit gets set (or, to put it another way, whether a
zero or one value indicates "Evil"). Taken in isolation
this is true; however, as with all "upwards compatible"
changes to the Internet protocols, we have to take into
account the previous situation. Pre-RFC3514 packets will
have this bit set to a value of zero and this includes
packets with evil intent. Since we know that *most* packets
on the Intenet at the moment are of evil intent we should
assume this fact and insist that packets should have this
bit set to one to positivly assure us that the packet is
*known* to have pure and unsullied motives. After all, in
the security world it is recognised that a "default deny"
policy is much stronger than a "default accept" policy.

-- 
	David Pick