From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 22:49:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B68837B401 for ; Wed, 2 Apr 2003 22:49:34 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2B5F43F85 for ; Wed, 2 Apr 2003 22:49:33 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id CF77615227; Wed, 2 Apr 2003 22:49:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id CC72915226 for ; Wed, 2 Apr 2003 22:49:30 -0800 (PST) Date: Wed, 2 Apr 2003 22:49:30 -0800 (PST) From: Mike Hoskins To: security@FreeBSD.ORG In-Reply-To: Message-ID: <20030402224630.V7394@fubar.adept.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 06:49:34 -0000 On Wed, 2 Apr 2003, David Pick wrote: > > Any chance this is an April Fool's joke? Yes. > The idea is sound and brilliant in concept. It was a joke. :) > > Inquiring minds see a real snakepit involved in applications > > setting and honoring a bit that conveys dishonorable > > intentions. /-: Exactly, as if people wouldn't 'fiddle' with the bit. > I think it's unfortunate that someone as well respected as > Stephen Bellovin should fall prey to an obvious trap. One He didn't. :) Funny, this got sucked into *BSD and Linux CVS repositories, and discussed on a number of mailing lists. >From bmanning@karoshi.com Wed Apr 2 22:45:56 2003 Date: Tue, 1 Apr 2003 09:40:26 -0800 (PST) From: bmanning@karoshi.com To: nanog@nanog.org Subject: Re: RFC3514 > Well, you weren't taking it seriously, I hope. lol > -Jack Subject: cvs commit: src/sbin/ping ping.8 ping.c src/share/man/man4 inet.4 ip.4 src/sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h src/usr.bin/netstat inet.c Date: Tue, 1 Apr 2003 00:21:44 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org mdodd 2003/04/01 00:21:44 PST FreeBSD src repository Modified files: sbin/ping ping.8 ping.c share/man/man4 inet.4 ip.4 sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h usr.bin/netstat inet.c Log: Implement support for RFC 3514 (The Security Flag in the IPv4 Header). (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt) This fulfills the host requirements for userland support by way of the setsockopt() IP_EVIL_INTENT message. There are three sysctl tunables provided to govern system behavior. net.inet.ip.rfc3514: Enables support for rfc3514. As this is an Informational RFC and support is not yet widespread this option is disabled by default. net.inet.ip.hear_no_evil If set the host will discard all received evil packets. net.inet.ip.speak_no_evil If set the host will discard all transmitted evil packets. The IP statistics counter 'ips_evil' (available via 'netstat') provides information on the number of 'evil' packets recieved. For reference, the '-E' option to 'ping' has been provided to demonstrate and test the implementation. Revision Changes Path 1.47 +4 -2 src/sbin/ping/ping.8 1.92 +13 -1 src/sbin/ping/ping.c 1.21 +11 -0 src/share/man/man4/inet.4 1.29 +9 -0 src/share/man/man4/ip.4 1.75 +2 -0 src/sys/netinet/in.h 1.59 +1 -0 src/sys/netinet/in_pcb.h 1.22 +1 -0 src/sys/netinet/ip.h 1.232 +14 -0 src/sys/netinet/ip_input.c 1.181 +28 -1 src/sys/netinet/ip_output.c 1.72 +1 -0 src/sys/netinet/ip_var.h 1.57 +1 -0 src/usr.bin/netstat/inet.c ----- End forwarded message: -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Don't send email to the address listed here or you will be added to a blacklist! It is a TRAP for address harvesters.