Re: OBSD reaction to CERT advisory

[Paul Robertson <proberts () patriot net>]

On Wed, 9 Oct 2002, Daniel Hartmeier wrote:

> > http://www.kb.cert.org/vuls/id/AAMN-5EQPEF
>
> Part of that statement is a quote from an (internal) email I sent in
> reply to the question whether OpenBSD was vulnerable. That explains the
> undiplomatic choice of words.

It did look a lot like an e-mail rather than a response, and I'm not sure 
if that's a CERT failing or an OBSD one.  Thanks for responding to my 
note.

> The reason IPFilter is referenced is the fact that OpenBSD did ship with
> this packet filter prior to release 3.0, hence I think the vendor
> statement should include this distinction.

Sure, it should say something like "OpenBSD prior to 3.0 uses, IPFilter, 
we recommend that users upgrade to $foo or check with $bar."  Anything 
else looks like mud slinging.  We've all seen the fight between the OBSD 
folks and Darren, and frankly it doesn't need rehashed at every 
turn.

> > Statements like "The problem is in ipf" when there's been zero 
> > actual verification, let alone communication with the author should be 
> > taken as disinformation.
>
> Look at the source, it's obvious that selective ACK retransmissions
> fool the in-kernel ftp proxy. I don't think it's necessary to provide an
> actual exploit to proof the vulnerability. If, after reading the source,
> you don't agree that IPFilter, in a configuration where the in-kernel
> ftp proxy should protect the ftp _server_, is vulnerable to this kind of
> attack, let me know.

It's not a SACK problem, it's a TCP segement issue, and I'll certainly 
take a look- be that as it may, I still think it's more appropriate to 
either tell folks to upgrade or to point them at Darren than to sling 
mud, and "I looked at it, looks like it sucks" is mud slinging- maybe 
that wasn't the intenet, and maybe someone forwarded to CERT something 
that should have stayed internal, but it makes *everyone* look bad when 
this happens, and the Open Source community ($my_definition) doesn't need 
to look like a bunch of kids.

> I strongly believe that placing any application level proxy at the
> packet filter layer is fundamentally flawed.

I _completely_ agree with you, and I had no issues with that part of your 
message.  Clavister's response flung mud at the entire concept, and I 
think that wasn't a bad thing, I really hope though that someone takes the 
time to update the OBSD response.

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards