Subject: Re: cloning loopback and security [was Re: CVS commit: src/sys ]
To: None <>
From: Christos Zoulas <>
List: tech-kern
Date: 12/09/2004 05:41:04
In article <>,
Jonathan Stone <> wrote:
>Loopback is special because it is special. It's not really an option:
>if you have INET, you need loopback for normal operation.  

Ok, why don't you go ahead and type "ifconfig lo0 down" on your
machine and then see what breaks. Very little. Maybe the portmapper,
maybe the resolver if you are using, but not much else.
Actually in the old days, you could bring back your ethernet
interface without bothering with loopback in single user mode and
work just fine. Granted ipv6 needs it, but ipv4 really does not.
And yes, it is a kludge that ipv6 hard-codes lo0, but it always
did so.

>To paraphrase something I said off-list: the domain I'm concerned
>about is the same kind of hardened, tied-down system where Thor and I
>had a strong gut reaction against devfs, due to security concerns.
>Those same concerns apply here, mutatis mutandis.  Those concerns
>include both actual functionality; concerns about the volume of code
>you hvae to understand to get assurance; and the maturity of that

Fine, but the loopback code has not really changed. And if we add
a knob so that you cannot create more of them we should be exactly where
we were before the change.

>When I build such systems, I've probably already stripped out gif,
>tun, and probably ppp.  So, just personally, I don't care so much
>about them.  But I can' strip out loopback. So.  Consider clonable
>loopback in scenarios like the one I outlined in private email:
>Configure two loopback interfaces, A and B. Configure one address on A
>and another on B. Cons up a packet with A's source address and B's
>destination address. If we were starting again de-novo, which
>interface is semantically the ``right'' one to send that packet out?
>Or for it to appear on?  If you're using filtering, which interfaces
>should the filters name?  What about ICMP (currently tightly bound to

Not much different that creating an inet alias to an interface, but
I can see your point.

>When I build hardeend systems, I really, really *dont want* to think
>about all those hairy corner-cases issues. I'd much sooner wire down a
>single loopback interface and be done with it, and not have to think
>what games can be played by a bad-guy who gets root.
>>And if you can ifconfig lo0 to your heart's content and set it to
>>promiscuous mode, how will creating additional ones compromise security
>>further? I can make a couple of tuns look effectively like loopback...
>Again, I want to not *have* to think about a root compromise where
>someone plays weird games with a clonable loopback. Speaking for
>myself, I've already stripped out gre and tun and ppp (and strip and
>/dev/fd), so none of those set off an alarm-bell for me.  Clonable
>loobpack, OTOH, sets off a loud, un-ignorable alarm-bell vis-a-vis
>hardened systems. At least for me.

I hear you, as I said before, and we can add provisions so creating more
network clones is not allowed. Let's figure out how exactly.