From owner-freebsd-hackers Wed Dec 19 14:25: 1 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by hub.freebsd.org (Postfix) with ESMTP id 6811737B417; Wed, 19 Dec 2001 14:24:54 -0800 (PST) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id fBJMOrY3015098; Thu, 20 Dec 2001 01:24:53 +0300 (MSK) Date: Thu, 20 Dec 2001 01:24:48 +0300 (MSK) From: Maxim Konovalov To: Yar Tikhiy Cc: net@FreeBSD.ORG, Subject: Re: IP options (was: Processing IP options reveals IPSTEALH router) In-Reply-To: <20011220003555.A52848@comp.chem.msu.su> Message-ID: <20011220011255.G79558-100000@news1.macomnet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Morning, On 00:35+0300, Dec 20, 2001, Yar Tikhiy wrote: > On Wed, Dec 19, 2001 at 08:54:50PM +0300, Maxim Konovalov wrote: > > > > By the way, is it correct to forward the packet with incorrect ip > > options? Now we do not. > > No RFC seems to specify that particularly. However, RFC 1812 reads > in general: > > (1) A router MUST verify the IP header, as described in section > [5.2.2], before performing any actions based on the contents of > the header. This allows the router to detect and discard bad > packets before the expenditure of other resources. > > Meanwhile more IP option issues came to my attention... > > Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following: > if a source-routed IP packet reachs the end of its route, but its > destination address doesn't match a current host/router, whether > the packet should be discarded, sent forth through usual routing > or accepted as destined for this host? FreeBSD will route such a > packet as usual. Stevens, TCP Ill. vII, p.257 says: "If the destination address of the packet does not match one of the local addresses and the option is a strict source routing (IPOPT_SSRR), an ICMP source route failure error is sent. If a local address isn't listed in the route, the previous system sent the packet to the wrong host. This isn't an error for a loose source route (IPOPT_LSRR); it means IP must forward the packet toward the destionation." That is what ip_input does near the line 1193. > Then, a FreeBSD host (net.inet.ip.forwarding=0) will respond with > Source Route Failed ICMPs to source-routed IP packets if source > route processing is prohibited using net.inet.ip.sourceroute or > net.inet.ip.accept_sourceroute. To my mind, it may be deduced > from RFC 1122 that a host must stay silent in this case... -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message