From owner-freebsd-net@FreeBSD.ORG Thu May 6 17:17:28 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E426316A4CE; Thu, 6 May 2004 17:17:28 -0700 (PDT) Received: from VARK.homeunix.com (adsl-68-124-137-57.dsl.pltn13.pacbell.net [68.124.137.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47A3A43D2F; Thu, 6 May 2004 17:17:28 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: from VARK.homeunix.com (localhost [127.0.0.1]) by VARK.homeunix.com (8.12.10/8.12.10) with ESMTP id i470HOAd077092; Thu, 6 May 2004 17:17:24 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by VARK.homeunix.com (8.12.10/8.12.10/Submit) id i470HOsR077091; Thu, 6 May 2004 17:17:24 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Date: Thu, 6 May 2004 17:17:24 -0700 From: David Schultz To: Andre Oppermann Message-ID: <20040507001724.GA76965@VARK.homeunix.com> Mail-Followup-To: Andre Oppermann , freebsd-current@FreeBSD.ORG, freebsd-net@FreeBSD.ORG References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <409A8EF3.5825EF0C@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <409A8EF3.5825EF0C@freebsd.org> cc: freebsd-net@FreeBSD.ORG cc: freebsd-current@FreeBSD.ORG Subject: Re: Default behaviour of IP Options processing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2004 00:17:29 -0000 On Thu, May 06, 2004, Andre Oppermann wrote: > I have just committed the attached change to ip_input() to control the > behaviour of IP Options processing. The default is the unchanged > current behaviour. > > However I want to propose to change the default from processing options > to ignoring options (or even stronger to reject them). I think ignoring IP options by default is a great idea. However, I have reservations about rejecting packets with options outright, for two reasons: - If the options are ignored anyway, it isn't clear that rejecting packets would buy us additional security. Firewalls are an exception, but in that case it is more appropriate to block the packets with a firewall rule. - Blocking packets could create interoperability issues with other hosts. For instance, researchers have proposed DOS defenses that involve placing a nonce in the IP timestamp field. If we're going to make the Internet a PITA for them to use, there had better be a good reason for it.