Re: patch -- An ingress filter (RFC2827)

Sun, 14 Apr 2002 14:06:03 -0700 


Hi,
this is more a comment on rfc2827 than on the patch (which seems to do
basically what is in the RFC).
This kind of filtering gives very little protection. For single-homed
systems with a default route, basically the only packets that it
can deny are those with a 127/8 source address on the wire.
And even the case of multi-homed routers, in most cases it will likely
protect only from attacks coming from the inside of your network.

Finally, i agree that the place for this code is within ip_fw.c,
definitely not ip_input.c

        cheers
        luigi

> 
> Hello!
> 
> I'd like to know your opinion about this patch
> 
>   http://www.morning.ru/~poige/patchzone/ingressfiltering.patch
> 
> which is mine attempt to implement an ingress filter being inspired by
> RFC2827 "Network Ingress Filtering: Defeating Denial of Service Attacks
> which employ IP Source Address Spoofing".
> 
>   (http://www.ietf.org/rfc/rfc2827.txt)
> 
> It should be mentioned IMHO that this code makes another one in ip_input.c a
> kind of redundant -- I mean code checking/blocking the 127/8 network "on
> wire". BTW, I suggest if not removing it completely then adding (sys)logging
> into, -- 127/8-spoofing certainly should be logged. :)
> 
> Another thing to pay an attention to: I deem it'd be better if a such filter
> was built-in into ip_fw.c, allowing such syntax for ipfw(8):
> 
>   deny log ip from any to any in via fxp0 spoofed
> 
> But AFAIS in ip_fw.h:
> 
> #define IP_FW_F_IN      0x00000100
> ...
> #define IP_FW_F_DME     0x40000000      /* destination = me */
> 
> #define IP_FW_F_MASK    0x7FFFFFFF      /* All possible flag bits mask */
> 
> and u_int32_t       fw_flg;
> 
> there is no free space for any additional flags...
> 
> So, I was a bit unsure whether should I expand fw_flg to u_int64_t, and do
> any other extensions. For now I decided just to wrote something like a
> draft, test it (it seems to be working ;), and asking you, people, for your
> comments/ideas on it.
> 
> P.S. A bit more info on this patch is at http://www.morning.ru/~poige/patchzone/
> 
> -- 
> Igor M Podlesny a.k.a. Poige
> http://WwW.MorninG.RU/~poige
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to