Date: Thu, 20 Dec 2001 01:24:48 +0300 (MSK) From: Maxim Konovalov <maxim@macomnet.ru> To: Yar Tikhiy <yar@FreeBSD.ORG> Cc: net@FreeBSD.ORG, <hackers@FreeBSD.ORG> Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) Message-ID: <20011220011255.G79558-100000@news1.macomnet.ru> In-Reply-To: <20011220003555.A52848@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Morning, On 00:35+0300, Dec 20, 2001, Yar Tikhiy wrote: > On Wed, Dec 19, 2001 at 08:54:50PM +0300, Maxim Konovalov wrote: > > > > By the way, is it correct to forward the packet with incorrect ip > > options? Now we do not. > > No RFC seems to specify that particularly. However, RFC 1812 reads > in general: > > (1) A router MUST verify the IP header, as described in section > [5.2.2], before performing any actions based on the contents of > the header. This allows the router to detect and discard bad > packets before the expenditure of other resources. > > Meanwhile more IP option issues came to my attention... > > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following: > if a source-routed IP packet reachs the end of its route, but its > destination address doesn't match a current host/router, whether > the packet should be discarded, sent forth through usual routing > or accepted as destined for this host? FreeBSD will route such a > packet as usual. Stevens, TCP Ill. vII, p.257 says: "If the destination address of the packet does not match one of the local addresses and the option is a strict source routing (IPOPT_SSRR), an ICMP source route failure error is sent. If a local address isn't listed in the route, the previous system sent the packet to the wrong host. This isn't an error for a loose source route (IPOPT_LSRR); it means IP must forward the packet toward the destionation." That is what ip_input does near the line 1193. > Then, a FreeBSD host (net.inet.ip.forwarding=0) will respond with > Source Route Failed ICMPs to source-routed IP packets if source > route processing is prohibited using net.inet.ip.sourceroute or > net.inet.ip.accept_sourceroute. To my mind, it may be deduced > from RFC 1122 that a host must stay silent in this case... -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011220011255.G79558-100000>