From owner-freebsd-hackers Fri Jun 26 13:34:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25239 for freebsd-hackers-outgoing; Fri, 26 Jun 1998 13:34:47 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25179; Fri, 26 Jun 1998 13:34:29 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id QAA24846; Fri, 26 Jun 1998 16:37:38 -0400 (EDT) Date: Fri, 26 Jun 1998 16:37:38 -0400 (EDT) From: andrewr To: Nate Lawson cc: Pierre.Beyssac@hsc.fr, fenner@parc.xerox.com, nate@elite.net, julian@whistle.com, freebsd-bugs@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: sendto()/raw sockets and now spoofing In-Reply-To: <199806262018.NAA08152@almond.elite.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I agree with nate on this, and is why I stopped in the middle of my coding. I only coded the dumb ip_src checker, and I stopped there. I thought to my self "Uhm, who would be spoofing the packets?? Root, most likely.. 'doh'" And I stopped. Andrew ***************************************** AWR XNS, Inc. "Drink beer, it will save your life." On Fri, 26 Jun 1998, Nate Lawson wrote: > >On Fri, 26 Jun 1998, Pierre Beyssac wrote: > >> On Fri, Jun 26, 1998 at 09:38:33AM -0400, andrewr wrote: > >> > Speaking of IP_HDRINCL, after reading raw_ip.c and noticing the protection > >> > against spoofing (can't use IP_HDRINCL in certain situations), I started > >> > thinking about actually comparing the user dsupplied ip->ip_src with the > >> > >> Are you sure you're talking about FreeBSD here ? SunOS 4 has such > >> a protection (it checks that the source address belongs to one of > >> the interfaces, or so it seems) but I've successfully spoofed > >> packets on FreeBSD without any problem using IP_HDRINCL. > >> > >> Anyway, such a protection can easily bypassed by sending raw > >> link-level packets through bpf (or probably /dev/nit in the case > >> of SunOS, although I've never tried this). > > > >I too have spoofed packets under FreeBSD, I am just noting somethings that > >might want to be changed. > > The whole point of IP_HDRINCL is to allow the (privileged) user to supply > their own IP header. There should be no code to prevent spoofing because it > is quite necessary to be able to write arbitrary parts of the IP header. > A DHCP server is a perfect example of a program that must "spoof" its source > address. > > How far do you start to go with this crusade? Do you then go on and verify > ip_id is appropriate? What about making sure ip_p isn't equal to ANY of the > known protocols since they are accessible through the ordinary sockets > interface? > > If you put the checks in sendto(), I'll be forced to use BPF for my tools. If > you put the checks in BPF too, I'll be forced to include an LKM that patches > your BPF which ... > > An operating system provides a layer of abstraction from the hardware that > provides protection -- you have this understanding right. But when a properly > authenticated and privileged user (root in this case) uses an OS mechanism, > IP_HDRINCL, to circumvent these checks, that user takes responsibility for the > behavior of his code by explicitly forgoing the normal OS checks. This is the > part you were missing. > > -Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message