Subject: Re: illegal network routes and a ponderance
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 02/21/2003 19:34:27
>> Or rather, for illusion-of-security reasons.  There's not that much
>> software left that makes security decisions based on packets' source
>> addresses, and such software has always been buggy.
> Sendmail, relay checks.

Ugh, good point.  And - at least in the code I just looked at, which
admittedly is probably not the most recent - sendmail doesn't disable
any source-route option that's present.

> Do you really want to turn your machine into an open-relay by
> allowing source routing?

No, I don't want to turn my machine into an open relay at all - but the
right thing to do is not to disable source routing, but to fix sendmail
(or run something else, something that _does_ know that peer IP
addresses cannot be trusted unless any source-route options have been
explicitly removed).

Fix the problem, don't break a useful facility to fix the symptom.
(Not that the facility is all that useful these days, given the large
numbers of people who already have broken it....)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B