Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Loopback and multi-homed routing flaw in TCP/IP stack.

From: Ben Laurie <ben () ALGROUP CO UK>
Date: Tue, 6 Mar 2001 09:09:44 +0000
Neil W Rickert wrote:


Woody <woody () THEBUNKER NET> wrote:


We believe there to be a serious security flaw in the TCP/IP stack of
several Unix-like operating systems. Whilst being "known" behavior on
technical mailing lists, we feel that the implications of this
"feature" are unexpected. Furthermore, not all platforms behave in the
same way, which will obviously lead to invalid expectations.


[detailed description snipped]

I am surprised to see this described as a flaw.  It is behavior I
have been relying on for some time.  Specifically, on my client
machines, I add a route to the alternate interface of my servers via
the direct interface of the same server.  This allows direct
connection to the server without relying on a router, regardless of
which IP address is used for the service.  For NFS clients, I
consider it important to be able to do this.

If there is a flaw, it is surely in the thinking of people who
mistakenly assumed that multi-homed systems would not behave so as to
allow this.


It is only a flaw when routing is disabled, as we stated.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

ApacheCon 2001! http://ApacheCon.com/
Previous By Date Next
Previous By Thread Next

Current thread: