Subject: Re: illegal network routes and a ponderance
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 02/21/2003 13:14:31
>>>> For better or worse, source routing is disabled in most routers
>>>> for security reasons.
>> Or rather, for illusion-of-security reasons.  There's not that much
>> software left that makes security decisions based on packets' source
>> addresses, and such software has always been buggy.
> Didn't you mean destination address?  As I understant the source
> routing, source address is unaffected by it.

No, I meant source address.  The source address is unaffected, yes, but
the danger is thus:

Victim machine V trusts trusted host T.  This check is done based on
ip_src addresses.

Attacker sets up machine A1 and A2.  A2 is given T's address, but is
behind A1.  A1 speaks to A2 (at T's address) and also to the network,
through which it can reach V.

A2, using T's address, connects to V, LSRR through A1.  Since the
reversed route is used for replies, when V responds, the packets are
loose-routed through A1, which sends them to A2 rather than T.  (This
could be done by simply having A1 route T's address to A2; it could
also be done by jiggering the IP forwading code on A1.)

Now, V is talking to A2, but thinks - based on ip_src - that it's
talking to T.  Oops.

With a little careful coding on A1, A2 doesn't even need to exist as a
separate machine.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B