Re: [Fwd: Re: Loopback and multi-homed routing flaw in TCP/IP

[Darren Reed <avalon () COOMBS ANU EDU AU>]

In some mail from Ben Laurie, sie said:
> Aleph1 wrote:
> > A flaw in the standard not on the stack. RFC 1122 "Requirements for
> > Internet
> > Hosts -- Communication Layers" covers this issue although without
> > pointing
> > out its security consequences.
>
> In the case that a host is not routing, it is abundantly clear that the
> strong model is the only correct one. Similarly, I would argue that in
> the case that a host is routing, the weak model is clearly correct. In
> more complex cases, one should use packet filtering to enforce
> requirements. You'll note that RFC 1122 is completely silent on the
> difference between routing and non-routing hosts, which makes it so
> broken it seems almost irrelevant on this issue.

Let me give you a 'counter example'.  Multi-homed server of some kind,
and a client goes to access it.  DNS server gives a reply with all of
the addresses included.  Which one does the client choose ?  Should it
have to check them all for the "best match" ?  What if it can't work
out what is the "best match" ?  The client should be able to pick
"any address" and connect, no ?  Afterall, the intention is to provide
a service to clients.  Whether the server listens on one address (as it
might) or all interface addreses or just "ANY" (all are quite valid
scenarios), if it is a general service then I generally want everyone
to access it and what it's bound to should be neither here nor there.
It should "just work".

I don't mention if it is a routing or non-routing server because it
makes no difference to me, as a client - or shouldn't at any rate.

I've seen a lot of people say "Strong ES model" should be the default,
but that is only a requirement for particular applications where you
want that behaviour.

To answer your question about what the RFC authors meant, maybe they
were thinking of actually just "using" multi-homed servers rather
than trying to impose security restrictions.