From owner-freebsd-current@FreeBSD.ORG Thu May 6 17:29:59 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F276B16A4CE; Thu, 6 May 2004 17:29:58 -0700 (PDT) Received: from invasion.mail.pas.earthlink.net (invasion.mail.pas.earthlink.net [207.217.120.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 931C543D1F; Thu, 6 May 2004 17:29:58 -0700 (PDT) (envelope-from richardcoleman@mindspring.com) Received: from c-24-99-11-212.atl.client2.attbi.com ([24.99.11.212] helo=mindspring.com) by invasion.mail.pas.earthlink.net with asmtp (Exim 3.36 #4) id 1BLtEu-000566-00; Thu, 06 May 2004 17:29:20 -0700 Message-ID: <409AD868.1020101@mindspring.com> Date: Thu, 06 May 2004 20:29:28 -0400 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Julian Elischer References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: 1ee258965991efcb0865379cdb43356e5e89bb4777695beb702e37df12b9c9ef4d0ab969575989afdfbd2e6457174044350badd9bab72f9c350badd9bab72f9c cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: Andre Oppermann Subject: Re: Default behaviour of IP Options processing X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: richardcoleman@mindspring.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2004 00:29:59 -0000 Julian Elischer wrote: > On Thu, 6 May 2004, David W. Chapman Jr. wrote: > >>> We are using RR option all the time to track down routing >>> asymmetry and traceroute is not an option, ping -R is very useful >>> in that cases. We all know that ipfw (and I am sure all other >>> *pf*) is able to process ip opts quite well and personally see no >>> point in this sysctls. I fail to see a documentation update >>> (inet.4 ?) as well. >>> >>> It is not clear for me why you ever ask for opinions after commit >>> not before. Strick "nay" if you care :-) >> >> He hasn't changed the default yet. But I think for the select few >> who actually use such tcp options, they can enable it. Most of >> the users however will not need this. I think the point that is >> trying to be made is that they want the default installation to be >> more secure and those who need these features can simply turn them >> on. > > what security problem are you expecting? Isn't that irrelevant? If 99.99% of the FreeBSD users don't need ip options, why should they be honored by default? Just because we can't think of a security issue at the moment doesn't mean one won't show up in the future. But in the interest of POLA, I would vote for the default to be 0 (just ignore the option and pass packet unmodified). And regardless of the outcome, please mention this somewhere in the networking section of the FreeBSD handbook. Richard Coleman richardcoleman@mindspring.com