[19504] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Mar 6 13:24:12 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AA4A958.DFF1A599@algroup.co.uk>
Date: Tue, 6 Mar 2001 09:09:44 +0000
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Neil W Rickert <rickert+bt@CS.NIU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Neil W Rickert wrote:
>
> Woody <woody@THEBUNKER.NET> wrote:
>
> >We believe there to be a serious security flaw in the TCP/IP stack of
> >several Unix-like operating systems. Whilst being "known" behavior on
> >technical mailing lists, we feel that the implications of this
> >"feature" are unexpected. Furthermore, not all platforms behave in the
> >same way, which will obviously lead to invalid expectations.
>
> [detailed description snipped]
>
> I am surprised to see this described as a flaw. It is behavior I
> have been relying on for some time. Specifically, on my client
> machines, I add a route to the alternate interface of my servers via
> the direct interface of the same server. This allows direct
> connection to the server without relying on a router, regardless of
> which IP address is used for the service. For NFS clients, I
> consider it important to be able to do this.
>
> If there is a flaw, it is surely in the thinking of people who
> mistakenly assumed that multi-homed systems would not behave so as to
> allow this.
It is only a flaw when routing is disabled, as we stated.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
