rfc3514 - Security Flag in the IPv4 Header
David Pick
d.m.pick at qmul.ac.uk
Tue Apr 1 22:15:17 PST 2003
> Any chance this is an April Fool's joke?
The idea is sound and brilliant in concept.
> Inquiring minds see a real snakepit involved in applications
> setting and honoring a bit that conveys dishonorable
> intentions. /-:
I think it's unfortunate that someone as well respected as
Stephen Bellovin should fall prey to an obvious trap. One
might very well think that it really doesn't matter which
way a bit gets set (or, to put it another way, whether a
zero or one value indicates "Evil"). Taken in isolation
this is true; however, as with all "upwards compatible"
changes to the Internet protocols, we have to take into
account the previous situation. Pre-RFC3514 packets will
have this bit set to a value of zero and this includes
packets with evil intent. Since we know that *most* packets
on the Intenet at the moment are of evil intent we should
assume this fact and insist that packets should have this
bit set to one to positivly assure us that the packet is
*known* to have pure and unsullied motives. After all, in
the security world it is recognised that a "default deny"
policy is much stronger than a "default accept" policy.
--
David Pick
More information about the freebsd-security
mailing list