OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Firewall-Wizards Digest V1 #311

Re: Firewall-Wizards Digest V1 #311


Ivan Arce (ivancore-sdi.com)
Mon, 07 Jun 1999 16:54:39 -0300


hm im resending this to the list, as im not sure that my previous reply
made it to it.

Ryan Russell wrote:

> >Why not simply check the data field for the SR tag? A real proxy should
> >be unable to forward traffic (source routed or not) without proxy
> >intervention.
>
> Those types of things get stripped off before the daemon gets
> the data, no? Doesn't all the interesting info below layer 4 get
> "eaten" by the OS by the time an app using sockets gets
> it?
>
> >> FW-1 doesn't do it..
> >
> >Actually, it does. It has dropped SR by default since 2.1b or so. I
> >remember having to apply the patch. ;)
>
> Sorry, I stand corrected.
>
> Ryan

That is not accurate, if a minimun amount of care is taken while
coding the proxies, connections with source routing can be shut down
at the application level (as an addition to the OS configration settings).

For example, in OpenBSD:

$ sysctl -a net.inet.ip.sourceroute
net.inet.ip.sourceroute = 0

BUT STILL, OpenBSD's named does:

   if (getsockopt(rfd, IPPROTO_IP, IP_OPTIONS,
           (char *)&ip_opts, &len) < 0) {
            syslog(LOG_INFO,
           "getsockopt(rfd, IP_OPTIONS): %m");
            (void) my_close(rfd);
            continue;
   }
   if (len != 0) {
        int i;

    nameserIncr(from_addr.sin_addr, nssRcvdOpts);
    /* any socket with an LSRR or SSRR option
     * must be killed immediately or it can be
     * tcp sequenced */
    for (i = 0; (void *)&ip_opts.ipopt_list[i] -
        (void *)&ip_opts < len && rfd != -1; ) {
     u_char c = (u_char)ip_opts.ipopt_list[i];
     if (c == IPOPT_LSRR || c == IPOPT_SSRR) {
      my_close(rfd);
      rfd = -1;
      break;
     }
     if (c == IPOPT_EOL)
      break;
     i += (c == IPOPT_NOP) ? 1 :
         (u_char)ip_opts.ipopt_list[i+1];
    }
    if (!haveComplained((char*)
          from_addr.sin_addr.s_addr,
          "rcvd ip options")) {
     syslog(LOG_INFO,
          "rcvd IP_OPTIONS from [%s].%d (ignored)",
            inet_ntoa(from_addr.sin_addr),
            ntohs(from_addr.sin_port));
    }
    if (rfd == -1) /* LSRR or SSRR killed it */
     continue;
    if (setsockopt(rfd, IPPROTO_IP, IP_OPTIONS,
            NULL, 0) < 0) {
     syslog(LOG_INFO,
            "setsockopt(!IP_OPTIONS): %m");
     (void) my_close(rfd);
     continue;
    }
   }

Note that IP_OPTIONS are shaved off the socket UNLESS they are LSRR or
SSRR, this is the correct behaviour (IMHO) as oppossed to several daemons
and proxies that do take into account ip options but just shave them off
and continue.
The named behaviour in OpenBSD WRT source routing can be explained
reading:

http://www.nai.com/products/security/advisory/07_tcpspoofing_adv.asp

It is quite amazing that this advisory is MORE THAN 2 YEARS OLD and
apparently application proxy developers are not aware of its
implications.

--

--
--------------------------------------------------------------------------------------------

Iván Arce <ivancore-sdi.com> Presidente CORE SDI S.A. Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina. TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09 --------------------------------------------------------------------------------------------



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:00 CDT