[58] in linux-net channel archive
NFS packets' source address & security.
daemon@ATHENA.MIT.EDU (Ian Jackson)
Fri Feb 3 08:50:01 1995
Date: Fri, 3 Feb 95 11:48 GMT
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: linux-net@vger.rutgers.edu
Cc: Swen Thuemmler <swen@uni-paderborn.de>
Swen Thuemmler writes ("Re: Linux-Activists - NET Channel digest. 95-0-17-12:21"):
> On Tue, 17 Jan 1995, lilo wrote:
> > I've been sitting around watching this debate, but I have to say
> > something. Are you seriously saying that an attacker claiming to be the
> > NFS server and giving bogus results is not something to worry about?
>
> Well, in some way this is what I am saying. In another it isn't. Yes, it
> is someghing to worry about. But not, this can not be fixed with
> connected sockets, since the attacker has at least to produce a correct
> XID. And if he or she is able to do so, changing the address will not be
> a problem, either.
The XID is not particularly hard to predict or guess, and the attacker
can guess as many times as they like. (They may also find it out
quite easily if they are able to generate legitimate traffic to a host
they control, or are able to snoop but not to insert packets.)
> > Anything that leaves a loophole in which it might be possible to
> > deliberately produce incorrect output in an NFS server-client
> > conversation is worthy of serious concern.
>
> Yes, but this cannot be fixed by accepting only packets from one host,
> since an attacker can easily change the source address.
This is not true - many sites now configure their routers to block
packets that arrive on their external interface with a source address
on the internal network. Almost all sites should do this, and with
this in place the source address can at least be trusted to say
whether a packet is coming from inside or outside your own network,
which may well be enough.
However, if your NFS client will accept packets from any old source
address this fails.
Furthermore, when IPSEC comes along and IP source addresses can be
authenticated NFS can at least be made to work between mutually
trusting systems. This won't work either, if packets from anywhere
work as replies.
Ian.
