Date: Mon, 8 Sep 1997 00:28:39 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> To: nate@mt.sri.com (Nate Williams) Cc: brian@awfulhak.org, freebsd-stable@freebsd.org Subject: Re: Don Croyle: make world failing at ppp install (again) Message-ID: <199709080728.AAA16253@GndRsh.aac.dev.com> In-Reply-To: <199709080556.XAA18293@rocky.mt.sri.com> from Nate Williams at "Sep 7, 97 11:56:23 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
You can wave your hands all around about ease of use vs doing it right, but the bottom line is as ppp stands today it is a security hole, and security holes are bad karma. Okay the group network cuts down the exposure, no you only have to deal with a fist full of users who can bring your router down. I simply fix most of the problem by rm'ing the user land ppp files, use the kernel version, make sure I don't have any tun drivers, etc. > > Running ppp does _NOT_ *requires* write access to the routing table, > > this is much much much better handled by properly configuring > > a real routing daemon and running real routing protocols. > > Bzzt, thanks for playing, but for 99.9999999% of the folks who run a PPP > connection, a 'real routing daemon' is way overkill and will cause them > no-end of headaches. And for those 99.9999% of the folks /sbin/routed -q will do just what they need. Now was that so hard. I didn't say the only real routing daemon was gated, but for server side ppp boxes it's a lot more guttsy than /sbin/routed. If you have VLSM run routed in ripv2 mode. > > > Infact I have to go to great pains to _stop_ what ppp tries to do to > > the routing tables, gated handles it MUCH better! > > Gated handles nothing better unless you've got a spare 40 hours to > dedicate to figuring out how it works. Gated is only necessary if > you've got multiple 'routes', and most (see above) folks have a single > network connection which is their PPP link. > > Engineering is finding the best solution for most folks, optimizing it > for it while trying to not penalize the rest of the folks. What ijppp > does is take the engineering approach, and not find the 'best/most > complicated/gated' solution. And leaves a big security hole.... -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709080728.AAA16253>