Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Lupe Christoph <lupe () LUPE-CHRISTOPH DE>
Date: Wed, 7 Mar 2001 08:59:10 +0100
On Wednesday, 2001-03-07 at 00:45:22 +0000, Woody wrote:
A machine which has routing turned off, is not _expected_ to route, so it is not tested for. This is the point of this advisory, which is commonly missed.
You mean forwarding, not routing, I suppose? Forwarding means that a router sends packets received on one interface out to another interface, hence the term. It does not mean the reachability of one interface of the router by packets received on another. That's multi-homing. As has been repeatedly pointed out to you, allowing this is desirable in many situations (I'm not talking about 127/8 here, this interface should not be reachable from the outside). I have a lot of clients relying on this. They would be thoroughly confused if their multihomed hosts would use strict multihoming. As for machines multihomed to different security zones - they are relatively rare. Requiring *all* hosts to use strict multihoming just because a few people could overlook a behaviour that could compromise security in very few situations is overreacting. I propose you retract your advisory because (as has been pointed out) it isn't one. Instead, try to get vendors to implement *optional* strict multihoming if they haven't already. It saves on rulesets in IP Chains, Tables, Filter, etc. If you really need it, that is. Lupe Christoph -- | lupe () lupe-christoph de | http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm |
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Message not available
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lothar Beta (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Darren Reed (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. BrandonButterworth (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Adam Laurie (Mar 07)