Hi
> we performed pretty thorough Tests with the Stack (including the usual > stuff like SYN-Floods) and found the TCP Options-bug. Where? Is it a lwip bug? is it already solved in current cvs? (i'm using last 1.3.0 release) > > I would give LwIP a pretty good grade there. The Stack itself is very > robust. good! > > The problematic part is always the driver implementation. And that is where > LwIP could provide more help to developers (more documentation, tips, hints, > best practices). > Because timing issues, flooding issues and all that stuff all arise in the > driver. If your driver is not secure, the stack can't help crashing. > > So debug your driver while under SYN flood and you'll probably find > something overflowing. which tool i can use to simulate a flood attack and debug the driver and the stack? > > Now on to the topic of filtering. Filtering packets in the MAC layer by > whitelisting IPs is pretty much nonsense. It's basically the same simulation > of security as MAC-ACLs in Wireless routers. An IP can easily be spoofed > just like a MAC can. Building extensive packet filtering options and > configuration options into LwIP will only increase complexity and code size. > And if you want filtering on the lowest level it will be a driver issue > anyways. yes... i want to filer in the driver, not in lwip.. and i know... it is not a definitive solution, but can mitigate the problem. > > Network-security is a very complex topic and you can't try to make a single > device ultra-secure and then never worry again. The whole network has to be > taken into account. Also there are no statements about it that are correct > under every circumstance (like using UDP because it's simpler). > You cannot judge the security of a device by the IP stack alone. > > To close: you should probably never expose a device with such low resources > that it uses a minimal Stack like LwIP _directly_ to the internet. This WILL > starve your resources and DoS your device. > Packet-filtering should be done by appliances that are built for that. > Firewalls, VPN-Tunnels, ... yes.... i said the same thing to our marketing.... "put the device behind a firewall!!".... but the answer was... security features inside the device are good marketing arguments.... :O| Bye Piero
_______________________________________________ lwip-users mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lwip-users
