Default behaviour of IP Options processing

Martin Stiemerling stiemerling at netlab.nec.de
Fri May 7 00:51:17 PDT 2004 

Hi,

I vote for choice "Ignore IP options and pass packets unmodified." since 
this is fail safe for the node receiving the packet and does not break end 
to end traffic.  Anyway, setting the default to reject packets is IMHO not 
a good idea, since packets are probably dropped by your router somewhere in 
the Internet without any obvious reason to other people or hosts.

Setting the default behaviour to reject will even block the deployment of 
new protocols.  There is currently a new signalling protocol under 
development, called NSIS (Next Steps in Signalling, IETF stuff, intended to 
be a RSVP successor), that will use router alert options to find NSIS nodes 
along the data path.

Regards,

  Martin

--On Donnerstag, 6. Mai 2004 21:16 Uhr +0200 Andre Oppermann 
<andre at freebsd.org> wrote:

| I have just committed the attached change to ip_input() to control the
| behaviour of IP Options processing.  The default is the unchanged
| current behaviour.
|
| However I want to propose to change the default from processing options
| to ignoring options (or even stronger to reject them).
|
| The rationale is as follows.  IP Options do not have any legitimate use
| in todays Internet at all.  For a long time now we have disabled source
| routing.  The remaining IP Options are RR (record route) and TS (time
| stamp) which are both useless.  For finding out which path a packet takes
| we use traceroute instead of RR.  Besides that RR is limited to the space
| in the IP Options field and can possibly record only a few hops (9 IIRC).
| Time stamp is useless for the same reason and since it doesn't have a
| fixed and synchronized timebase it is even more so useless.
|
| Opinions?  Discussion?  Yes/Nay?
|
| --
| Andre
|
|
|> andre       2004/05/06 11:46:03 PDT
|>
|>   FreeBSD src repository
|>
|>   Modified files:
|>     sys/netinet          ip_fastfwd.c ip_input.c ip_var.h
|>   Log:
|>   Provide the sysctl net.inet.ip.process_options to control the
|>   processing of IP options.
|>
|>    net.inet.ip.process_options=0  Ignore IP options and pass packets
|>    unmodified. net.inet.ip.process_options=1  Process all IP options
|>    (default). net.inet.ip.process_options=2  Reject all packets with IP
|>    options with ICMP filter prohibited message.
|>
|>   This sysctl affects packets destined for the local host as well as
|>   those only transiting through the host (routing).
|>
|>   IP options do not have any legitimate purpose anymore and are only used
|>   to circumvent firewalls or to exploit certain behaviours or bugs in
|>   TCP/IP stacks.
|>
|>   Reviewed by:    sam (mentor)
|>
|>   Revision  Changes    Path
|>   1.11      +10 -2     src/sys/netinet/ip_fastfwd.c
|>   1.271     +13 -0     src/sys/netinet/ip_input.c
|>   1.87      +1 -0      src/sys/netinet/ip_var.h
| _______________________________________________
| freebsd-net at freebsd.org mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-net
| To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list