Killing IP options (was: Status of 2.4 release)

Russ Allbery rra at stanford.edu
Sat Dec 28 08:43:37 UTC 2002 

Jeffrey M Vinocur <jeff at litech.org> writes:

> - there's some problem with clearing IP_OPTIONS.  It's a little vague 
>   here, but I think we collectively couldn't figure out exactly what the
>   intent was with those options and whether they were still needed, so we
>   punted.  (The code in question is innd/rc.c:RCfix_options() and the sole
>   callsite of that function later in the file.)

I did some research on this.  One thread about it is at:

<http://groups.google.com/groups?threadm=qWyk2hVIOTaJ%40sdg.dra.com>

The worry is apparently that if a client enables source routing, this
could confuse innd or nnrpd into using the wrong IP address for access
permission and allow an unauthorized user to gain access.

This code first appeared in INN 1.6b1.  An additional discussion thread
is at:

<http://www.isc.org/ml-archives/inn-workers/1997/10/msg00330.html>

After some initial discussion about implementation, the thread is very
interesting and informative.  Sean Donelan's message at:

<http://www.isc.org/ml-archives/inn-workers/1997/10/msg00351.html>

is particularly interesting (and points out some other stuff that we
should really fix).

I'm fairly sure that IPv6 doesn't allow anything like source routing in
the first place.

Checking the IPv6 version of TCP wrappers, there is the following comment
from Casper Dik:

    The KILL_IP_OPTIONS option doesn't work.  (Something to do with IPV4
    addresses mapped inside IPV6 sockets)

so we're not the first people who have encountered this problem.  I
believe that source-routed packets are now rejected nigh-universally by
host TCP stacks, let alone by routers and the like, so I don't think that
this problem is particularly important.  I think just leaving it as it is
now and only killing IP options for the pure IPv4 case is fine.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list