From owner-freebsd-mobile@FreeBSD.ORG Wed Apr 16 13:12:13 2003 Return-Path: Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4D9B37B401 for ; Wed, 16 Apr 2003 13:12:13 -0700 (PDT) Received: from postal1.es.net (postoffice1.gridpma.com [198.128.3.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 038F243FE0 for ; Wed, 16 Apr 2003 13:12:13 -0700 (PDT) (envelope-from oberman@es.net) Received: from ptavv.es.net ([198.128.4.29]) by postal1.es.net (Postal Node 1) with ESMTP id MUA74016; Wed, 16 Apr 2003 13:12:11 -0700 Received: from ptavv (localhost [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 595235D04; Wed, 16 Apr 2003 13:12:10 -0700 (PDT) To: Larry Rosenman In-Reply-To: Message from Larry Rosenman <346670000.1050520099@lerlaptop.iadfw.net> Date: Wed, 16 Apr 2003 13:12:10 -0700 From: "Kevin Oberman" Message-Id: <20030416201210.595235D04@ptavv.es.net> cc: mobile@freebsd.org cc: John Polstra Subject: Re: "broadcast ping" message X-BeenThere: freebsd-mobile@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Mobile computing with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 20:12:14 -0000 > Date: Wed, 16 Apr 2003 14:08:19 -0500 > From: Larry Rosenman > Sender: owner-freebsd-mobile@freebsd.org > > > > --On Wednesday, April 16, 2003 12:05:41 -0700 Jamie Bowden > wrote: > > > On Wed, 16 Apr 2003, John Polstra wrote: > > > >> Oh, drop it! Security fixes don't wait on standards. You've got a > >> knob to make it do what you want -- so use it. Please stop the > >> whining or at least remove me from the cc list. > > > > Since when is DOS a security issue? My issue is default behaviour > > violating both POLA and RFC. You've got a knob to turn it off if it bugs > > you. > For clueless newbies that cause an ISP to be blacklisted, it sure as HECK > **IS** a security > issue. Larry, You are not arguing the issue at hand and many people are not sufficiently involved with Internet routing to realize that this is not relevant. To put it simply, if you have a router that FORWARDS broadcast pings, you will very quickly become blue smurf toast. This is not an option or matter of discretion and Cisco was massively abused for the old default. No other router vendor forwards broadcast pings by default, either. But the issue was not that of forwarding broadcast pings. The issue is a system responding to a broadcast ping. Almost all systems do and all should (IMHO). This is NOT a security issue. It's not even a denial of service issue unless you have a very large broadcast domain and potentially hostile, non-routed access to it. I have never seen any proposal to change the "normal" behavior of responding to broadcast pings as a proposed standard or BCP. Of course, if a FreeBSD box is used as a router, it should not forward directed broadcasts. (But that does not mean that it should not respond to them.) R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634