Subject: Re: Should loose source routing be enabled if not IPFORWARDING?
To: Mark P. Gooderum <firstname.lastname@example.org>
From: Darren Reed <email@example.com>
Date: 12/15/1994 17:40:33
In some email I received from Mark P. Gooderum, they wrote:
> > > None of the legitimate uses of source routing have any need to pass through
> > > a box that has GATEWAY off.
> > I consider "traceroute -g intermediary destination" to be a ligitimate use
> > of source routing, even when the intermeidary is a non-routing host.
> If it's a non-routing source, what business do your packets have passing
> through the box?
They don't always go _through_.
> > When GATEWAY is off, the box should not pass packets in one interface and
> > out another, but I think it could still pass LSRR and SSRR packets in one
> > interface and back out the same interface; there could be another option
> > to disable that too (for use in firewalls etc.).
> This is a nice concept but has a big problem. The ip_input() routine
> (the function that decides to route or drop or accept as local any incoming
> IP packet) has no sure knowledge of which interface that packet actually
> came in on. The link layer device (ethernet, slip, ppp, etc), throws the
> incoming packet on the protocol input queue and schedules a software
> interrupt. That packet is an mbuf of the actual packet, there is no link
> to the interface and no MAC/Link layer header (the bpf device is a special
> case that is handled in the link layer device driver). The IP layer can
> try to guess based on routing, but it's just that, a guess. Maybe a good
> guess in a simple us and them inside/outside routing situation, but even that
> assumes no forged packets...BIG and bad assumption to make if you are
> actually worried about security.
> So ip_input() and the routing routines don't know for sure where a packet
> came from. Thus, if you want to be really sure of not passing packets, you
> have to not forward *any* packets.
* Do option processing on a datagram,
* possibly discarding it if bad options are encountered,
* or forwarding it if source-routed.
* Returns 1 if packet has been forwarded/freed,
* 0 if the packet should be processed further.
struct mbuf *m;
struct ifnet *ifp;
What do you think ifp is ?