Default behaviour of IP Options processing
Richard Coleman
richardcoleman at mindspring.com
Thu May 6 17:29:59 PDT 2004
Julian Elischer wrote:
> On Thu, 6 May 2004, David W. Chapman Jr. wrote:
>
>>> We are using RR option all the time to track down routing
>>> asymmetry and traceroute is not an option, ping -R is very useful
>>> in that cases. We all know that ipfw (and I am sure all other
>>> *pf*) is able to process ip opts quite well and personally see no
>>> point in this sysctls. I fail to see a documentation update
>>> (inet.4 ?) as well.
>>>
>>> It is not clear for me why you ever ask for opinions after commit
>>> not before. Strick "nay" if you care :-)
>>
>> He hasn't changed the default yet. But I think for the select few
>> who actually use such tcp options, they can enable it. Most of
>> the users however will not need this. I think the point that is
>> trying to be made is that they want the default installation to be
>> more secure and those who need these features can simply turn them
>> on.
>
> what security problem are you expecting?
Isn't that irrelevant? If 99.99% of the FreeBSD users don't need ip
options, why should they be honored by default?
Just because we can't think of a security issue at the moment doesn't
mean one won't show up in the future.
But in the interest of POLA, I would vote for the default to be 0 (just
ignore the option and pass packet unmodified).
And regardless of the outcome, please mention this somewhere in the
networking section of the FreeBSD handbook.
Richard Coleman
richardcoleman at mindspring.com
More information about the freebsd-net
mailing list