Date: Sun, 23 Dec 2001 02:29:14 +0300 (MSK) From: Maxim Konovalov <maxim@macomnet.ru> To: Yar Tikhiy <yar@FreeBSD.ORG> Cc: net@FreeBSD.ORG, <hackers@FreeBSD.ORG> Subject: Re: Processing IP options reveals IPSTEALH router Message-ID: <20011223022614.U18529-100000@news1.macomnet.ru> In-Reply-To: <20011221185118.B25868@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On 18:51+0300, Dec 21, 2001, Yar Tikhiy wrote: > On Wed, Dec 19, 2001 at 08:54:50PM +0300, Maxim Konovalov wrote: > > On 19:49+0300, Dec 19, 2001, Yar Tikhiy wrote: > > > > > As for source routing, I believe a stealthy router should just drop > > > such packets as though it were a host. Of course, source-routed > > > packets destined for the router itself should be accepted. > > > > So there are three IPSTEALTH cases: > > > > 1/ the dst address is not ours, net.inet.ip.sourceroute=0, > > net.inet.ip.forwarding=1: process ip options by ip_dooptions(). > > > > 2/ the dst address is ours: process ip options by ip_dooptions(), > > > > 3/ in other cases do not process ip options. > > I made a patch that adds the "stealthy IP options feature". > Honestly, now I'm afraid it's "much ado about nothing", given how > clumsy solution is needed for such a small problem. Even the way > of ignoring IP options completely when doing IPSTEALTH looks way > better... IMHO it is not a good idea to forward a packet with possible incorrect ip options. The patch looks OK for me. -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011223022614.U18529-100000>