Date: Thu, 6 May 2004 17:17:24 -0700 From: David Schultz <das@FreeBSD.ORG> To: Andre Oppermann <andre@FreeBSD.ORG> Cc: freebsd-current@FreeBSD.ORG Subject: Re: Default behaviour of IP Options processing Message-ID: <20040507001724.GA76965@VARK.homeunix.com> In-Reply-To: <409A8EF3.5825EF0C@freebsd.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <409A8EF3.5825EF0C@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 06, 2004, Andre Oppermann wrote: > I have just committed the attached change to ip_input() to control the > behaviour of IP Options processing. The default is the unchanged > current behaviour. > > However I want to propose to change the default from processing options > to ignoring options (or even stronger to reject them). I think ignoring IP options by default is a great idea. However, I have reservations about rejecting packets with options outright, for two reasons: - If the options are ignored anyway, it isn't clear that rejecting packets would buy us additional security. Firewalls are an exception, but in that case it is more appropriate to block the packets with a firewall rule. - Blocking packets could create interoperability issues with other hosts. For instance, researchers have proposed DOS defenses that involve placing a nonce in the IP timestamp field. If we're going to make the Internet a PITA for them to use, there had better be a good reason for it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040507001724.GA76965>