From owner-freebsd-net@FreeBSD.ORG Thu May 6 12:16:07 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 193DB16A4CE for ; Thu, 6 May 2004 12:16:07 -0700 (PDT) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9354643D2D for ; Thu, 6 May 2004 12:16:05 -0700 (PDT) (envelope-from andre@freebsd.org) Received: (qmail 75296 invoked from network); 6 May 2004 19:16:04 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 6 May 2004 19:16:04 -0000 Message-ID: <409A8EF3.5825EF0C@freebsd.org> Date: Thu, 06 May 2004 21:16:03 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-net@freebsd.org References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Default behaviour of IP Options processing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 19:16:07 -0000 I have just committed the attached change to ip_input() to control the behaviour of IP Options processing. The default is the unchanged current behaviour. However I want to propose to change the default from processing options to ignoring options (or even stronger to reject them). The rationale is as follows. IP Options do not have any legitimate use in todays Internet at all. For a long time now we have disabled source routing. The remaining IP Options are RR (record route) and TS (time stamp) which are both useless. For finding out which path a packet takes we use traceroute instead of RR. Besides that RR is limited to the space in the IP Options field and can possibly record only a few hops (9 IIRC). Time stamp is useless for the same reason and since it doesn't have a fixed and synchronized timebase it is even more so useless. Opinions? Discussion? Yes/Nay? -- Andre > andre 2004/05/06 11:46:03 PDT > > FreeBSD src repository > > Modified files: > sys/netinet ip_fastfwd.c ip_input.c ip_var.h > Log: > Provide the sysctl net.inet.ip.process_options to control the processing > of IP options. > > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified. > net.inet.ip.process_options=1 Process all IP options (default). > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP > filter prohibited message. > > This sysctl affects packets destined for the local host as well as those > only transiting through the host (routing). > > IP options do not have any legitimate purpose anymore and are only used > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP > stacks. > > Reviewed by: sam (mentor) > > Revision Changes Path > 1.11 +10 -2 src/sys/netinet/ip_fastfwd.c > 1.271 +13 -0 src/sys/netinet/ip_input.c > 1.87 +1 -0 src/sys/netinet/ip_var.h