der Mouse,

Do you consider this a security issue?  I know that in general source routing 
is frowned about by security folks, but I'm not sure if that applies to this 
situation.

On Thursday 13 February 2003 02:39 pm, der Mouse wrote:
> > I want to do source address based routing for some particular IPs.
>
> I have a pseudo-interface driver that does exactly this:
>
> [Truly-Delicious - root] 75> netstat -rn -f inet | egrep srt0
> default            10.0.0.1           UGS         3   468844   1500  srt0
> 10.0.0.1           216.46.0.70        UH          1        0   1500  srt0
>
> My default route points out an srt interface.  The interface is
> configured as
>
> [Truly-Delicious - root] 76> ifconfig srt0
> srt0: flags=11<UP,POINTOPOINT> mtu 1500
> 	inet 216.46.0.70 --> 10.0.0.1 netmask 0xffffffff
>
> [Truly-Delicious - root] 77> srtconfig srt0
> 0: 216.46.5.1 /32 rl0 216.46.5.9
> 1: 216.46.0.70 /32 ppp0 216.46.1.10
>
> The srtconfig output indicates that packets whose source address is
> 216.46.5.1 are sent out rl0 with next-hop address 216.46.5.9; those
> whose source address is 216.46.0.70 go out ppp0 with next-hop address
> 216.46.1.10.  (This is actually outdated; the next-hop address for ppp0
> should be different.  The only reason this works is that ppp0 ignores
> the next-hop address.)  Packets with other source addresses are
> silently dropped; that machine should not be sending packets with any
> other source addresses down its default route.
>
> > But, how do I do this with an ethernet?
>
> Install sys/dev/pseudo/if_srt* from my patch tree? :)
>
> This assumes it's IPv4.  I haven't yet taught it about IPv6.
>
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse@rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
Seth Kurtzberg
M. I. S. Corp.
480-661-1849
seth@cql.com