"Jeremy M. Dolan" <jmd@foozle.turbogeek.org> writes:
> RFC1812 Requirements for IP Version 4 Routers
RFC 1812 mandates routing of IP packets with reserved flags, but not
for TCP packets.
> RFC2979 Behavior of and Requirements for Internet Firewalls
>
> The last one seems it would have the most potential to clear up this
> mess, unfortunatly it's only an informational RFC, and at a quick
> glance, doesn't look like it addresses this issue.
In fact, it does, but not in the way you want: ;-)
| When a firewall acts a protocol end point it may
|
| (1) implement a "safe" subset of the protocol,
|
| (2) perform extensive protocol validity checks,
| Good security may occasionally result in interoperability failures
| between components. This is understood. However, this doesn't mean
| that gratuitous interoperability failures caused by security
| components are acceptable.
It is completely acceptable to deploy a firewall which drops packets
in which reserved flags are not zero. Obviously, the implementer
doesn't know the effect of this flag (because they aren't defined
yet), so he's facing the choice whether to create a system which is
safe or a system which maximizes interoperability at the cost of
potential risks. IMHO, the first choice is much more appropriate than
the second one.
-- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jan 31 2001 - 21:00:25 EST