[19536] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Lupe Christoph)
Wed Mar 7 12:26:25 2001
Mail-Followup-To: Lupe Christoph <lupe@alanya.lupe-christoph.de>,
Woody <woody@THEBUNKER.NET>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010307085909.G1243@alanya.lupe-christoph.de>
Date: Wed, 7 Mar 2001 08:59:10 +0100
Reply-To: Lupe Christoph <lupe@LUPE-CHRISTOPH.DE>
From: Lupe Christoph <lupe@LUPE-CHRISTOPH.DE>
X-To: Woody <woody@THEBUNKER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3AA584A2.F8D3E37D@thebunker.net>; from woody@THEBUNKER.NET on
Wed, Mar 07, 2001 at 12:45:22AM +0000
On Wednesday, 2001-03-07 at 00:45:22 +0000, Woody wrote:
> A machine which has routing turned off, is not _expected_ to route, so
> it
> is not tested for.
> This is the point of this advisory, which is commonly
> missed.
You mean forwarding, not routing, I suppose?
Forwarding means that a router sends packets received on one interface
out to another interface, hence the term.
It does not mean the reachability of one interface of the router
by packets received on another. That's multi-homing.
As has been repeatedly pointed out to you, allowing this is
desirable in many situations (I'm not talking about 127/8 here,
this interface should not be reachable from the outside).
I have a lot of clients relying on this. They would be thoroughly
confused if their multihomed hosts would use strict multihoming.
As for machines multihomed to different security zones - they
are relatively rare. Requiring *all* hosts to use strict multihoming
just because a few people could overlook a behaviour that could
compromise security in very few situations is overreacting.
I propose you retract your advisory because (as has been pointed out)
it isn't one. Instead, try to get vendors to implement *optional*
strict multihoming if they haven't already.
It saves on rulesets in IP Chains, Tables, Filter, etc. If you really
need it, that is.
Lupe Christoph
--
| lupe@lupe-christoph.de | http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a |
| Bat-Leth contest on the holodeck. They will not concern us again. |
| http://public.logica.com/~stepneys/joke/klingon.htm |
