Woody <woodyTHEBUNKER.NET> wrote:

>We believe there to be a serious security flaw in the TCP/IP stack of
>several Unix-like operating systems. Whilst being "known" behavior on
>technical mailing lists, we feel that the implications of this
>"feature" are unexpected. Furthermore, not all platforms behave in the
>same way, which will obviously lead to invalid expectations.

[detailed description snipped]

I am surprised to see this described as a flaw. It is behavior I
have been relying on for some time. Specifically, on my client
machines, I add a route to the alternate interface of my servers via
the direct interface of the same server. This allows direct
connection to the server without relying on a router, regardless of
which IP address is used for the service. For NFS clients, I
consider it important to be able to do this.

If there is a flaw, it is surely in the thinking of people who
mistakenly assumed that multi-homed systems would not behave so as to
allow this.

The original message states

>At the moment, any machine which has either:

>o services running on the loopback interface

>o two or more external interfaces

>must be configured, using a firewall, to drop IP packets arriving from
>the wrong network in order to be secure. This is commonly not the
>case.

This is surely an overstatement. I expect that there are many
multi-homed servers which offer the same network services on each
interface. There do not appear to be any security issues in such
cases.

 -NWR

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]