Brad Hards <bhards@bigpond.net.au> writes:
> On Mon, 18 Nov 2002 06:42, Eric W. Biederman wrote:
> > As long as the network console/debug interface includes basic a basic
> > check to verify that the packets it accepts are from the local network.
> This is pretty hard to do in some configurations. You essentially have to do
> this at the router, not at destination.
I agree that you cannot do a perfect job. The goal is to get something
that is good enough so that it can be enabled and not give an automatic root
exploit if someone accidentally leaves it on at the wrong time.
> > And it's outgoing packets have a ttl of one. I don't have a problem.
> Recent IETF work on link-local has used TTL=255 outgoing, and it has to be 255
> at the receive end too. That is a reasonable way to ensure that is is
> link-local, since even the most brain-dead routers will at least decrement
> TTL.
Nice. And then on the transmit end I would still use a TTL=1 so that
routers will refuse to route the packets. A bit asymmetric but I only
care about security in one direction.
But in what kind of configurations is checking the ip against the
current netmask insufficient? Checking for a TTL of 255 will
trivially make the check stronger.
Having a network console for various debugging tasks could be very
useful. The question is how to implement it simply and reliably.
Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Nov 23 2002 - 22:00:19 EST