Date: Thu, 20 Dec 2001 00:35:55 +0300 From: Yar Tikhiy <yar@FreeBSD.ORG> To: Maxim Konovalov <maxim@macomnet.ru> Cc: net@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: IP options (was: Processing IP options reveals IPSTEALH router) Message-ID: <20011220003555.A52848@comp.chem.msu.su> In-Reply-To: <20011219195659.G25693-100000@news1.macomnet.ru>; from maxim@macomnet.ru on Wed, Dec 19, 2001 at 08:54:50PM %2B0300 References: <20011219194903.D21732@comp.chem.msu.su> <20011219195659.G25693-100000@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 08:54:50PM +0300, Maxim Konovalov wrote: > > By the way, is it correct to forward the packet with incorrect ip > options? Now we do not. No RFC seems to specify that particularly. However, RFC 1812 reads in general: (1) A router MUST verify the IP header, as described in section [5.2.2], before performing any actions based on the contents of the header. This allows the router to detect and discard bad packets before the expenditure of other resources. Meanwhile more IP option issues came to my attention... Neither RFC 791 nor RFC 1122 nor RFC 1812 specify the following: if a source-routed IP packet reachs the end of its route, but its destination address doesn't match a current host/router, whether the packet should be discarded, sent forth through usual routing or accepted as destined for this host? FreeBSD will route such a packet as usual. Then, a FreeBSD host (net.inet.ip.forwarding=0) will respond with Source Route Failed ICMPs to source-routed IP packets if source route processing is prohibited using net.inet.ip.sourceroute or net.inet.ip.accept_sourceroute. To my mind, it may be deduced from RFC 1122 that a host must stay silent in this case... -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011220003555.A52848>