From: Russell King <rmk@arm.linux.org.uk>
To: tomc@teamics.com
Cc: linux-kernel@vger.kernel.org
Subject: Re: Problem: RFC1166 addressing
Date: Mon, 16 Sep 2002 18:04:41 +0100 [thread overview]
Message-ID: <20020916180441.E23094@flint.arm.linux.org.uk> (raw)
In-Reply-To: <OF298A60D6.2FD15C58-ON86256C36.005B260E@teamics.com>; from tomc@teamics.com on Mon, Sep 16, 2002 at 11:50:36AM -0500
On Mon, Sep 16, 2002 at 11:50:36AM -0500, tomc@teamics.com wrote:
> RFC 1166 states that:
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
Things to note:
"should" != "must"
1166 Internet numbers. S. Kirkpatrick, M.K. Stahl, M. Recker.
Jul-01-1990. (Format: TXT=566778 bytes) (Obsoletes RFC1117, RFC1062,
RFC1020) (Status: INFORMATIONAL)
^^^^^^^^^^^^^^^^^^^^^ (not a standard)
RFC2119 defines should and must as:
1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create"
> 127 network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.
If your users have access to ifconfig, then they can also send out
whatever packets they want via raw network sockets, even packets that
appear to be coming from external IP addresses. Adding protection
into the kernel for 127/8 buys you nothing from a determined user
that has root.
I'd suggest configuring the firewall up correctly; deny traffic with
the 127/8 address being received via any non-loopback interface.
A good rule of thumb for firewalls: Deny everything. Then
explicitly specify what you want to let through.
--
Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
next prev parent reply other threads:[~2002-09-16 16:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-16 16:50 Problem: RFC1166 addressing tomc
2002-09-16 17:04 ` Russell King [this message]
2002-09-16 17:25 ` Gerhard Mack
2002-09-16 17:26 ` Richard B. Johnson
2002-09-16 23:06 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2002-09-16 17:33 tomc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020916180441.E23094@flint.arm.linux.org.uk \
--to=rmk@arm.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=tomc@teamics.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.