* Problem: RFC1166 addressing
@ 2002-09-16 16:50 tomc
2002-09-16 17:04 ` Russell King
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: tomc @ 2002-09-16 16:50 UTC (permalink / raw)
To: linux-kernel
RFC 1166 states that:
The class A network number 127 is assigned the "loopback"
function, that is, a datagram sent by a higher level protocol
to a network 127 address should loop back inside the host. No
datagram "sent" to a network 127 address should ever appear on
any network anywhere.
Linux does not enforce this. I have uncovered some users using this
function to attempt to circumvent the firewall. I am able to "create" 127
network traffic as follows:
Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
Machine 2: ping 127.1.2.3
Packets move between the hosts. Also seems to work on Macintosh.
tc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Problem: RFC1166 addressing
2002-09-16 16:50 Problem: RFC1166 addressing tomc
@ 2002-09-16 17:04 ` Russell King
2002-09-16 17:25 ` Gerhard Mack
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Russell King @ 2002-09-16 17:04 UTC (permalink / raw)
To: tomc; +Cc: linux-kernel
On Mon, Sep 16, 2002 at 11:50:36AM -0500, tomc@teamics.com wrote:
> RFC 1166 states that:
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
Things to note:
"should" != "must"
1166 Internet numbers. S. Kirkpatrick, M.K. Stahl, M. Recker.
Jul-01-1990. (Format: TXT=566778 bytes) (Obsoletes RFC1117, RFC1062,
RFC1020) (Status: INFORMATIONAL)
^^^^^^^^^^^^^^^^^^^^^ (not a standard)
RFC2119 defines should and must as:
1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create"
> 127 network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.
If your users have access to ifconfig, then they can also send out
whatever packets they want via raw network sockets, even packets that
appear to be coming from external IP addresses. Adding protection
into the kernel for 127/8 buys you nothing from a determined user
that has root.
I'd suggest configuring the firewall up correctly; deny traffic with
the 127/8 address being received via any non-loopback interface.
A good rule of thumb for firewalls: Deny everything. Then
explicitly specify what you want to let through.
--
Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Problem: RFC1166 addressing
2002-09-16 16:50 Problem: RFC1166 addressing tomc
2002-09-16 17:04 ` Russell King
@ 2002-09-16 17:25 ` Gerhard Mack
2002-09-16 17:26 ` Richard B. Johnson
2002-09-16 23:06 ` Alan Cox
3 siblings, 0 replies; 6+ messages in thread
From: Gerhard Mack @ 2002-09-16 17:25 UTC (permalink / raw)
To: tomc; +Cc: linux-kernel
On Mon, 16 Sep 2002 tomc@teamics.com wrote:
> Date: Mon, 16 Sep 2002 11:50:36 -0500
> From: tomc@teamics.com
> To: linux-kernel@vger.kernel.org
> Subject: Problem: RFC1166 addressing
>
> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
>
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create" 127
> network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.
I would call that a bug in the firewall rules. Depending on the hosts to
behave in such a way as to make life easier for the firewall makes for a
losing proposition.
Gerhard
--
Gerhard Mack
gmack@innerfire.net
<>< As a computer I find your faith in technology amusing.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Problem: RFC1166 addressing
2002-09-16 16:50 Problem: RFC1166 addressing tomc
2002-09-16 17:04 ` Russell King
2002-09-16 17:25 ` Gerhard Mack
@ 2002-09-16 17:26 ` Richard B. Johnson
2002-09-16 23:06 ` Alan Cox
3 siblings, 0 replies; 6+ messages in thread
From: Richard B. Johnson @ 2002-09-16 17:26 UTC (permalink / raw)
To: tomc; +Cc: linux-kernel
On Mon, 16 Sep 2002 tomc@teamics.com wrote:
> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
I haven't tested this <yet>, but this is not mandatory because the
standard says "should". I know that some older versions of SunOs would
"announce" when they saw such an address on the wire. This was once
found to come from an incorrectly-configured INTERACTIVE Unix machine
here.
You will need root privs to use `ifconfig` and the same to write
raw packets from user-mode so I don't think you have a problem
with the kernel not, as you say, enforcing the standard. Of course,
of everybody has root, then they can do anything regardless of any
kernel enforcement. Just write raw packets claiming you are from
whitehouse.gov and you can rule the universe.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.18 on an i686 machine (797.90 BogoMips).
The US military has given us many words, FUBAR, SNAFU, now ENRON.
Yes, top management were graduates of West Point and Annapolis.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Problem: RFC1166 addressing
2002-09-16 16:50 Problem: RFC1166 addressing tomc
` (2 preceding siblings ...)
2002-09-16 17:26 ` Richard B. Johnson
@ 2002-09-16 23:06 ` Alan Cox
3 siblings, 0 replies; 6+ messages in thread
From: Alan Cox @ 2002-09-16 23:06 UTC (permalink / raw)
To: tomc; +Cc: linux-kernel
On Mon, 2002-09-16 at 17:50, tomc@teamics.com wrote:
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create" 127
> network traffic as follows:
If you choose to configure that way they yes you can. Since any other
box on the net can also send/received 127.* packets make sure your
firewall is right 8)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Problem: RFC1166 addressing
@ 2002-09-16 17:33 tomc
0 siblings, 0 replies; 6+ messages in thread
From: tomc @ 2002-09-16 17:33 UTC (permalink / raw)
To: Gerhard Mack; +Cc: linux-kernel
You are correct sir. I was just quite surprised to find that it works,
and that I can reassign the 127 network to any interface I like.
tc
Gerhard Mack
<gmack@innerfi To: tomc@teamics.com
re.net> cc: linux-kernel@vger.kernel.org
Subject: Re: Problem: RFC1166 addressing
09/16/02 12:25
PM
On Mon, 16 Sep 2002 tomc@teamics.com wrote:
> Date: Mon, 16 Sep 2002 11:50:36 -0500
> From: tomc@teamics.com
> To: linux-kernel@vger.kernel.org
> Subject: Problem: RFC1166 addressing
>
> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
>
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create"
127
> network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.
I would call that a bug in the firewall rules. Depending on the hosts to
behave in such a way as to make life easier for the firewall makes for a
losing proposition.
Gerhard
--
Gerhard Mack
gmack@innerfire.net
<>< As a computer I find your faith in technology amusing.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-09-16 22:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-16 16:50 Problem: RFC1166 addressing tomc
2002-09-16 17:04 ` Russell King
2002-09-16 17:25 ` Gerhard Mack
2002-09-16 17:26 ` Richard B. Johnson
2002-09-16 23:06 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2002-09-16 17:33 tomc
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.