On Wed, 12 Sep 2001, Richard Draves wrote:
> 1. When processing a Routing Header, hosts should only forward the
> packet to another node via the same interface by which it arrived.
[snip rule 2]
> The first rule will allow the Mobile IP use of Routing Headers, because
> in that case the packet is forwarded from a Care-Of address to a Home
> address on the same node. It will also allow diagnostic uses like
> round-trip traceroute. Forwarding from an address on one interface to an
> address on a second interface and then to a different node via the
> second interface is not allowed.
>
> The first rule prevents security problems, in the following sense:
> Define N1 to be the set of nodes that can attacker A can reach with a
> packet if hosts implement the first rule. Define N2 to be the set of
> nodes that A can reach if hosts do not honor Routing Headers at all.
> It's easy to see that N1 = N2, ie source routing with the first rule
> introduces no loss of security.
I don't think this is enough.
I'm not sure what you mean by round-trip traceroute, but I'm assuming it's
probably like normal traceroute (increasing hop count), where you can send
an additional packet to the intermediate router using routing header, to
see what the return path from it is.
If the intent is to send the packet with huge TTL to the destination
directly, possibly with routing header, I don't see much "traceroute" in
it, more like ping.
The diagnostic uses don't seem interesting IMO here, as you can
(assumedly) do round-trip traceroute to the next-hop router of the
destination host. From there, the latency etc. changes should be minimal,
and the patch symmetric assuming same-interface rule stands. So, I can't
see much use for the diagnostic argument if it's assumed that routers
enable source-route forwarding by default.
"Local forwarding" _does_ cause a loss of security, depending on the
policies. There are two kinds:
1) any host can use used as a traffic reflector
2) (more important) it can be used to avoid (simple) access-lists
Of 2), I've already given an example, but I'll add it here again:
host1 --- rtr1 - INET - rtr2 -+- host2 (other scenarios also exist)
|
+- host3
Assume that host2 is a web server.
Assume that rtr2 blocks all traffic to port 80, except for host2.
host3 is running an internal/testing web server.
Now host1 can write:
src = host1
dst = host2
tcp dport = 80
routing header = host3
Whoops.. traffic straight to host3 port 80 that was blocked.
Not Good.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
