Date: Wed, 19 Dec 2001 19:50:48 +0300 From: Yar Tikhiy <yar@FreeBSD.ORG> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: net@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Processing IP options reveals IPSTEALH router Message-ID: <20011219195047.E21732@comp.chem.msu.su> In-Reply-To: <20011219173313.C54315@sunbay.com>; from ru@FreeBSD.ORG on Wed, Dec 19, 2001 at 05:33:13PM %2B0200 References: <20011219181929.A20425@comp.chem.msu.su> <20011219173313.C54315@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 05:33:13PM +0200, Ruslan Ermilov wrote: > On Wed, Dec 19, 2001 at 06:19:29PM +0300, Yar Tikhiy wrote: > > > > I ran into an absolutely clear, but year-old PR pointing out that > > a router in the IPSTEALTH mode will reveal itself when processing > > IP options: kern/23123. > > > > The fix proposed seems clean and right to me: don't do IP options > > at all when in the IPSTEALTH mode. Does anyone have objections? > > If no, I'll commit the fix. > > > What if the packet is directed to us? I think we should still > process options in this case, and the patch in the PR doesn't > seem to do it. Good point! Indeed, just ignoring IP options would let a third party to identify a FreeBSD host as a stealthy router. I think it's safe to move doing IP options to after identifying an IP packet as destined for this or another host. I'll make a patch and show it here. > <PS> > I was going to replace IPSTEALTH functionality with the > net.inet.ip.decttl knob. Setting it to 0 would match the > IPSTEALTH behavior, the default value will be 1. > </PS> In fact, IPSTEALTH does already have a sysctl knob: net.inet.ip.stealth, which is initially zero (i.e. don't be stealthy.) To my mind, the "stealth" name fits its purpose better since just leaving TTL untouched is insufficient for a router to achieve really stealthy behaviour. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219195047.E21732>