Bugtraq mailing list archives

Re: Loopback and multi-homed routing flaw in TCP/IP stack.

From: Ben Laurie <ben () ALGROUP CO UK>
Date: Tue, 6 Mar 2001 09:05:32 +0000

Perry Harrington wrote:


I don't think the behavior should change because of DSR.  DSR is more useful
than 'rightness' in my opinion.  A switch to turn it off if you don't want it is
something I'd advocate, but the default should be 'on'.


The FreeBSD guys are making the behaviour switchable with a sysctl, I
believe. However, the default position should clearly be strong, not
weak - people who want weak are rare and really ought to know what
they're doing. POLA dictates that "internal" routing should not occur
when routing is disabled. Further, there's no circumstance I can think
of where it makes sense to route 127/8 from an external interface! That
behaviour should not be switchable.

Cheers,

Ben.


--Perry

On Mon, Mar 05, 2001 at 06:18:33PM -0800, ddowney () mail hislinuxbox net wrote:

On Mon, 5 Mar 2001, Perry Harrington wrote:

In short, yes security through obscurity is dumb, but calling for people to change
this functionality is unwarranted when machines can be firewalled.



Actually to me this sounds more like an excuse NOT to fix the problem
simply because it's "industry standard".

Sometimes standards need to be looked at and revamped. In this case it's
one that would affect the industry as a whole. Are you calling for
advisories only simply because the workload would be tremendous or because
you truly believe that fixing this would affect nothing?


---
David D.W. Downey - RHCE
Consulting Engineer
Ensim Corporation
david.downey () ensim com


--
Perry Harrington                 Director of                   zelur xuniL  ()
perry at webcom dot com      System Architecture               Think Blue.  /\

  ------------------------------------------------------------------------
   Part 1.2Type: application/pgp-signature


--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

ApacheCon 2001! http://ApacheCon.com/

Current thread:

Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Elias Levy (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 05)
  - Re: Loopback and multi-homed routing flaw in TCP/IP stack. ddowney (Mar 05)
  - Re: Loopback and multi-homed routing flaw in TCP/IP stack. John Cronin (Mar 05)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
  - Re: Loopback and multi-homed routing flaw in TCP/IP stack. ddowney (Mar 05)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 05)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 06)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Dan Harkless (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 05)
  - Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. J. Bol (Mar 06)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 06)
    - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
  - Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)

(Thread continues...)