[19503] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Mar 6 13:10:18 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AA4A85C.AF11CB27@algroup.co.uk>
Date: Tue, 6 Mar 2001 09:05:32 +0000
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Perry Harrington <pedward@WEBCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Perry Harrington wrote:
>
> I don't think the behavior should change because of DSR. DSR is more useful
> than 'rightness' in my opinion. A switch to turn it off if you don't want it is
> something I'd advocate, but the default should be 'on'.
The FreeBSD guys are making the behaviour switchable with a sysctl, I
believe. However, the default position should clearly be strong, not
weak - people who want weak are rare and really ought to know what
they're doing. POLA dictates that "internal" routing should not occur
when routing is disabled. Further, there's no circumstance I can think
of where it makes sense to route 127/8 from an external interface! That
behaviour should not be switchable.
Cheers,
Ben.
>
> --Perry
>
> On Mon, Mar 05, 2001 at 06:18:33PM -0800, ddowney@mail.hislinuxbox.net wrote:
> > On Mon, 5 Mar 2001, Perry Harrington wrote:
> >
> > > In short, yes security through obscurity is dumb, but calling for people to change
> > > this functionality is unwarranted when machines can be firewalled.
> > >
> >
> >
> > Actually to me this sounds more like an excuse NOT to fix the problem
> > simply because it's "industry standard".
> >
> > Sometimes standards need to be looked at and revamped. In this case it's
> > one that would affect the industry as a whole. Are you calling for
> > advisories only simply because the workload would be tremendous or because
> > you truly believe that fixing this would affect nothing?
> >
> >
> > ---
> > David D.W. Downey - RHCE
> > Consulting Engineer
> > Ensim Corporation
> > david.downey@ensim.com
> >
> >
>
> --
> Perry Harrington Director of zelur xuniL ()
> perry at webcom dot com System Architecture Think Blue. /\
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
