Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 06 May 2004 20:29:28 -0400
From:      Richard Coleman <richardcoleman@mindspring.com>
To:        Julian Elischer <julian@elischer.org>
Cc:        Andre Oppermann <andre@freebsd.org>
Subject:   Re: Default behaviour of IP Options processing
Message-ID:  <409AD868.1020101@mindspring.com>
In-Reply-To: <Pine.BSF.4.21.0405061542170.82978-100000@InterJet.elischer.org>
References:  <Pine.BSF.4.21.0405061542170.82978-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Julian Elischer wrote:

> On Thu, 6 May 2004, David W. Chapman Jr. wrote:
> 
>>> We are using RR option all the time to track down routing
>>> asymmetry and traceroute is not an option, ping -R is very useful
>>> in that cases. We all know that ipfw (and I am sure all other
>>> *pf*) is able to process ip opts quite well and personally see no
>>> point in this sysctls.  I fail to see a documentation update
>>> (inet.4 ?) as well.
>>> 
>>> It is not clear for me why you ever ask for opinions after commit
>>> not before.  Strick "nay" if you care :-)
>> 
>> He hasn't changed the default yet.  But I think for the select few
>>  who actually use such tcp options, they can enable it.  Most of
>> the users however will not need this.  I think the point that is
>> trying to be made is that they want the default installation to be
>> more secure and those who need these features can simply turn them
>> on.
> 
> what security problem are you expecting?

Isn't that irrelevant?  If 99.99% of the FreeBSD users don't need ip 
options, why should they be honored by default?

Just because we can't think of a security issue at the moment doesn't 
mean one won't show up in the future.

But in the interest of POLA, I would vote for the default to be 0 (just 
ignore the option and pass packet unmodified).

And regardless of the outcome, please mention this somewhere in the 
networking section of the FreeBSD handbook.

Richard Coleman
richardcoleman@mindspring.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?409AD868.1020101>