[19540] in bugtraq
Re: [Fwd: Re: Loopback and multi-homed routing flaw in TCP/IP
daemon@ATHENA.MIT.EDU (Darren Reed)
Wed Mar 7 13:45:49 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <200103070803.TAA13933@cairo.anu.edu.au>
Date: Wed, 7 Mar 2001 19:03:36 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: ben@ALGROUP.CO.UK
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3AA564FF.456C379@algroup.co.uk> from "Ben Laurie" at Mar 06,
2001 10:30:23 PM
In some mail from Ben Laurie, sie said:
>
> Aleph1 wrote:
> > A flaw in the standard not on the stack. RFC 1122 "Requirements for
> > Internet
> > Hosts -- Communication Layers" covers this issue although without
> > pointing
> > out its security consequences.
>
> In the case that a host is not routing, it is abundantly clear that the
> strong model is the only correct one. Similarly, I would argue that in
> the case that a host is routing, the weak model is clearly correct. In
> more complex cases, one should use packet filtering to enforce
> requirements. You'll note that RFC 1122 is completely silent on the
> difference between routing and non-routing hosts, which makes it so
> broken it seems almost irrelevant on this issue.
Let me give you a 'counter example'. Multi-homed server of some kind,
and a client goes to access it. DNS server gives a reply with all of
the addresses included. Which one does the client choose ? Should it
have to check them all for the "best match" ? What if it can't work
out what is the "best match" ? The client should be able to pick
"any address" and connect, no ? Afterall, the intention is to provide
a service to clients. Whether the server listens on one address (as it
might) or all interface addreses or just "ANY" (all are quite valid
scenarios), if it is a general service then I generally want everyone
to access it and what it's bound to should be neither here nor there.
It should "just work".
I don't mention if it is a routing or non-routing server because it
makes no difference to me, as a client - or shouldn't at any rate.
I've seen a lot of people say "Strong ES model" should be the default,
but that is only a requirement for particular applications where you
want that behaviour.
To answer your question about what the RFC authors meant, maybe they
were thinking of actually just "using" multi-homed servers rather
than trying to impose security restrictions.
