From owner-freebsd-hackers  Sat Dec 22 15:29:22 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10])
	by hub.freebsd.org (Postfix) with ESMTP
	id F2F4237B416; Sat, 22 Dec 2001 15:29:15 -0800 (PST)
Received: from news1.macomnet.ru (maxim@news1.macomnet.ru [195.128.64.14])
	by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id fBMNTEY3193743;
	Sun, 23 Dec 2001 02:29:14 +0300 (MSK)
Date: Sun, 23 Dec 2001 02:29:14 +0300 (MSK)
From: Maxim Konovalov <maxim@macomnet.ru>
To: Yar Tikhiy <yar@FreeBSD.ORG>
Cc: net@FreeBSD.ORG, <hackers@FreeBSD.ORG>
Subject: Re: Processing IP options reveals IPSTEALH router
In-Reply-To: <20011221185118.B25868@comp.chem.msu.su>
Message-ID: <20011223022614.U18529-100000@news1.macomnet.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


Hello,

On 18:51+0300, Dec 21, 2001, Yar Tikhiy wrote:

> On Wed, Dec 19, 2001 at 08:54:50PM +0300, Maxim Konovalov wrote:
> > On 19:49+0300, Dec 19, 2001, Yar Tikhiy wrote:
> >
> > > As for source routing, I believe a stealthy router should just drop
> > > such packets as though it were a host.  Of course, source-routed
> > > packets destined for the router itself should be accepted.
> >
> > So there are three IPSTEALTH cases:
> >
> > 1/ the dst address is not ours, net.inet.ip.sourceroute=0,
> > net.inet.ip.forwarding=1: process ip options by ip_dooptions().
> >
> > 2/ the dst address is ours: process ip options by ip_dooptions(),
> >
> > 3/ in other cases do not process ip options.
>
> I made a patch that adds the "stealthy IP options feature".
> Honestly, now I'm afraid it's "much ado about nothing", given how
> clumsy solution is needed for such a small problem.  Even the way
> of ignoring IP options completely when doing IPSTEALTH looks way
> better...

IMHO it is not a good idea to forward a packet with possible incorrect
ip options.

The patch looks OK for me.

-- 
Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message