Subject: Re: Should loose source routing be enabled if not IPFORWARDING?
To: John Hawkinson <email@example.com>
From: Ted Lemon <firstname.lastname@example.org>
Date: 12/14/1994 08:39:17
John, you have a completely valid point in stating that application
servers should check their sources and not trust bogons. In that
environment, we wouldn't need firewalls. Unfortunately, in the real
world there are a lot of applications that do not know how to reject
source-routed packets and have no way of authenticating such packets.
Host-address-based authentication in such situations is not useful,
since if I can control the route that a packet and its reply take to
get to me, I can choose an arbitrary source address without fear that
the reply will be routed to the wrong place.
We'd need some stronger form of authentication. Probably public-key
based, since even Kerberos depends to some extent on source addresses
not being spoofed. I think that it's a worthwhile goal, but we
aren't even to the point of having experimental services working that
support this now, so it's premature to make policy decisions on that
Currently, Firewalls block a lot of packets, usually including most
ICMP packets. It is rare to find a firewall through which a
traceroute can occur. It's widely agreed upon in the firewall
community that source routing cannot be permitted through firewalls.
However, your argument that source routing should be enabled by
default may be valid. Perhaps the right solution is to put a
FIREWALL option into the config file. Even if a sysctl variable is
present, I think the likelihood of its being widely used is slim.
Being a knowledgeable network person, I think you overestimate the
level of awareness that the average person has about source routing
and other ip issues.
Anyway, just my two cents. For my own system, I'll leave source
routing on and try to keep the services secure, but at work source
routing through the firewall is already dead and gone.
Ted Lemon email@example.com
+1 415 477 5045
Fight to preserve your freedom to program: Join the League for
Programming Freedom! For info, contact firstname.lastname@example.org.