From owner-freebsd-net Wed Dec 22 0: 4:22 1999 Delivered-To: freebsd-net@freebsd.org Received: from catarina.usc.edu (catarina.usc.edu [128.125.51.47]) by hub.freebsd.org (Postfix) with ESMTP id 1093815042 for ; Wed, 22 Dec 1999 00:04:20 -0800 (PST) (envelope-from pavlin@catarina.usc.edu) Received: from rumi.usc.edu (rumi.usc.edu [128.125.51.41]) by catarina.usc.edu (8.9.3/8.9.3) with ESMTP id AAA28085; Wed, 22 Dec 1999 00:04:19 -0800 (PST) Received: from rumi (localhost [127.0.0.1]) by rumi.usc.edu (8.9.3/8.9.3) with ESMTP id AAA21295; Wed, 22 Dec 1999 00:04:22 -0800 (PST) Message-Id: <199912220804.AAA21295@rumi.usc.edu> To: Dmitry Samersoff Cc: Pavlin Ivanov Radoslavov , net@FreeBSD.ORG Subject: Re: TTL and FreeBSD-3.4 In-reply-to: Your message of "Tue, 21 Dec 1999 13:33:35 +0300." Date: Wed, 22 Dec 1999 00:04:22 -0800 From: Pavlin Ivanov Radoslavov Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I just got the announcement for the FreeBSD-3.4 release and > > something caught my attention: > > > > 1.2. SECURITY CHANGES > > --------------------- > > > > Support has been added for forwarding IP datagrams without > > inspecting or > > decreasing the TTL in order to make gateways and firewalls less > > visible > > and therefore less exposed to attacks. > > ====== > > > > I understand the security concern and the motivations for adding > > this feature, but isn't forwarding IP datagrams without decreasing > > their TTL a violation of one of the requirements > > for the routers (e.g RFC 1812, Section 5.2.1.2 (step 7) and 5.3.1). > > By not following this requirement, there is great danger from > > looping packets infinitely, which could be much worse than > > someone discovering your gateway IP address. > > IMHO, FreeBSD it self is dangerous enough, because all source is available ;-)) > All such patches believe that I well know what I'm doing, and save my time > because I need not make such patches by hand. Well, you don't really need FreeBSD's source, because you can always write your own OS :) After some search in the FreeBSD-current and 3.4 source tree, the only thing I found related is IPSTEALTH. The LINT says: # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. However, IPSTEALTH matters only in the following code (in netinet/ip_input.c): #ifdef IPSTEALTH if (!ipstealth) { #endif if (ip->ip_ttl <= IPTTLDEC) { icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0); return; } ip->ip_ttl -= IPTTLDEC; #ifdef IPSTEALTH } #endif So, IPSTEALTH can be used to configure a router such that it will not respond by ICMP "TTL Exceeded" if the ttl of the IP data packet is <= 1, and therefore it will be invisible to traceroute. This is completely different from the explanation in the LINT and from the text in the original annoucement, and is quite harmless, unlike the described there "stealth forwarding". Is this all what IPSTEALTH and "stealth forwarding" is about, or there is something more? If this is all, then probably the explanation text in LINT should be fixed, otherwise it may scare other people as well :) Thanks, Pavlin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message