Date: Wed, 22 Dec 1999 00:04:22 -0800 From: Pavlin Ivanov Radoslavov <pavlin@catarina.usc.edu> To: Dmitry Samersoff <dms@wplus.net> Cc: Pavlin Ivanov Radoslavov <pavlin@catarina.usc.edu>, net@FreeBSD.ORG Subject: Re: TTL and FreeBSD-3.4 Message-ID: <199912220804.AAA21295@rumi.usc.edu> In-Reply-To: Your message of "Tue, 21 Dec 1999 13:33:35 %2B0300." <XFMail.19991221133335.dms@wplus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I just got the announcement for the FreeBSD-3.4 release and
> > something caught my attention:
> >
> > 1.2. SECURITY CHANGES
> > ---------------------
> > <del>
> > Support has been added for forwarding IP datagrams without
> > inspecting or
> > decreasing the TTL in order to make gateways and firewalls less
> > visible
> > and therefore less exposed to attacks.
> > ======
> >
> > I understand the security concern and the motivations for adding
> > this feature, but isn't forwarding IP datagrams without decreasing
> > their TTL a violation of one of the requirements
> > for the routers (e.g RFC 1812, Section 5.2.1.2 (step 7) and 5.3.1).
> > By not following this requirement, there is great danger from
> > looping packets infinitely, which could be much worse than
> > someone discovering your gateway IP address.
>
> IMHO, FreeBSD it self is dangerous enough, because all source is available ;-))
> All such patches believe that I well know what I'm doing, and save my time
> because I need not make such patches by hand.
Well, you don't really need FreeBSD's source, because you can always
write your own OS :)
After some search in the FreeBSD-current and 3.4 source tree, the
only thing I found related is IPSTEALTH. The LINT says:
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
However, IPSTEALTH matters only in the following code (in
netinet/ip_input.c):
#ifdef IPSTEALTH
if (!ipstealth) {
#endif
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
dest, 0);
return;
}
ip->ip_ttl -= IPTTLDEC;
#ifdef IPSTEALTH
}
#endif
So, IPSTEALTH can be used to configure a router such that it will
not respond by ICMP "TTL Exceeded" if the ttl of the IP data packet
is <= 1, and therefore it will be invisible to traceroute. This is
completely different from the explanation in the LINT and from the
text in the original annoucement, and is quite harmless, unlike the
described there "stealth forwarding".
Is this all what IPSTEALTH and "stealth forwarding" is about, or
there is something more?
If this is all, then probably the explanation text in LINT should be
fixed, otherwise it may scare other people as well :)
Thanks,
Pavlin
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912220804.AAA21295>