tech-kern: Re: cloning loopback and security [was Re: CVS commit: src/sys ]

Subject: Re: cloning loopback and security [was Re: CVS commit: src/sys ]
To: Christos Zoulas <christos@zoulas.com>
From: Jonathan Stone <jonathan@dsg.stanford.edu>
List: tech-kern
Date: 12/09/2004 11:34:52

In message <I8Fx4G.Axv@tac.nyc.ny.us>Christos Zoulas writes
>Ok, why don't you go ahead and type "ifconfig lo0 down" on your
>machine and then see what breaks. Very little. 

Christos, I think what you are trying to say here is: when *ou* type
"ifconfig lo0 down" on *your* machine then, not a lot breaks.  I
accept that it doesn't break much for you.

I dont understand why you keep repeating that the change doesn't break
anything much for you, or for most people. I heard that and I accept
it.  But I am reasoning from different axioms (axioms about building
hardened, secure systems) and therefore my conclusions about what
matters, and what the baseline on this change is, are different from
yours, or kre's, or several other people.


[...]
>Maybe the portmapper,
>maybe the resolver if you are using 127.0.0.1, but not much else.

Actually, no. (And I say this not to be disagreeable, but to help
illustrate where I'm coming from).  In fact a lot of local code on the
hardened system might rely on having the loopback interface present.
And I care *very* much about whether that traffic is bound to a
loopback interface or to a local NIC (even if via digital loopback to
the local MAC address). And yes, one could use socketpairs or
PF_LOCAL, but sometimes the traffic has to be nonlocal.

[... snip lots of what looks like repetition...]


>And if we add
>a knob so that you cannot create more of them we should be exactly where
>we were before the change.

Yes.  Agreed.  (I sure hope so, as it was my suggestion in the first
place!)  And if we're adding knobs, I would prefer knobs which also
allow a config-time upper bound in addition to a sysct knob.

I've had half-baked thoughts about macros which would take a module
name, and paste together C identifier for stylized static variable
names for both config-time limit identifier and sysclt-knob limit
identifiers, distinguished by different suffixes. I'm sure you can see
how that could go.


[...]

>Not much different that creating an inet alias to an interface, but
>I can see your point.

Thank you.


[...]

>I hear you, as I said before, and we can add provisions so creating more
>network clones is not allowed. Let's figure out how exactly.

Thank you again.  I hope I can help out with that, and do so in a way
that makes sense for all the other cloner cases you noted.