Bugtraq mailing list archives

By Date

By Thread

Re: Loopback and multi-homed routing flaw in TCP/IP stack.

On Wednesday, 2001-03-07 at 00:45:22 +0000, Woody wrote:

A machine which has routing turned off, is not _expected_ to route, so
it
is not tested for.
This is the point of this advisory, which is commonly
missed.

You mean forwarding, not routing, I suppose?

Forwarding means that a router sends packets received on one interface
out to another interface, hence the term.

It does not mean the reachability of one interface of the router
by packets received on another. That's multi-homing.

As has been repeatedly pointed out to you, allowing this is
desirable in many situations (I'm not talking about 127/8 here,
this interface should not be reachable from the outside).

I have a lot of clients relying on this. They would be thoroughly
confused if their multihomed hosts would use strict multihoming.

As for machines multihomed to different security zones - they
are relatively rare. Requiring *all* hosts to use strict multihoming
just because a few people could overlook a behaviour that could
compromise security in very few situations is overreacting.

I propose you retract your advisory because (as has been pointed out)
it isn't one. Instead, try to get vendors to implement *optional*
strict multihoming if they haven't already.

It saves on rulesets in IP Chains, Tables, Filter, etc. If you really
need it, that is.

Lupe Christoph
--
| lupe () lupe-christoph de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

By Date

By Thread

Current thread:

• Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
• • • • Message not available
      • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
  • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lothar Beta (Mar 06)
    • Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
  • Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 06)
    • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
      • Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
    • Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
      • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
  • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Darren Reed (Mar 06)
    • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
      • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)
  • Re: Loopback and multi-homed routing flaw in TCP/IP stack. BrandonButterworth (Mar 05)
  • Re: Loopback and multi-homed routing flaw in TCP/IP stack. Adam Laurie (Mar 07)