Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Neil W Rickert <rickert+bt () CS NIU EDU>
Date: Mon, 5 Mar 2001 20:07:04 -0600
Woody <woody () THEBUNKER NET> wrote:
We believe there to be a serious security flaw in the TCP/IP stack of several Unix-like operating systems. Whilst being "known" behavior on technical mailing lists, we feel that the implications of this "feature" are unexpected. Furthermore, not all platforms behave in the same way, which will obviously lead to invalid expectations.
[detailed description snipped] I am surprised to see this described as a flaw. It is behavior I have been relying on for some time. Specifically, on my client machines, I add a route to the alternate interface of my servers via the direct interface of the same server. This allows direct connection to the server without relying on a router, regardless of which IP address is used for the service. For NFS clients, I consider it important to be able to do this. If there is a flaw, it is surely in the thinking of people who mistakenly assumed that multi-homed systems would not behave so as to allow this. The original message states
At the moment, any machine which has either:
o services running on the loopback interface
o two or more external interfaces
must be configured, using a firewall, to drop IP packets arriving from the wrong network in order to be secure. This is commonly not the case.
This is surely an overstatement. I expect that there are many multi-homed servers which offer the same network services on each interface. There do not appear to be any security issues in such cases. -NWR
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Perry Harrington (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Dan Harkless (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. J. Bol (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)