From owner-freebsd-security  Fri Jan 21 22:15:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 586F51555C
	for <security@FreeBSD.ORG>; Fri, 21 Jan 2000 22:15:33 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA59998;
	Fri, 21 Jan 2000 22:14:45 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200001220614.WAA59998@gndrsh.dnsmgr.net>
Subject: Re: stream.c worst-case kernel paths
In-Reply-To: <20000122044638.B27337@hades.hell.gr> from Giorgos Keramidas at "Jan 22, 2000 04:46:38 am"
To: keramida@ceid.upatras.gr
Date: Fri, 21 Jan 2000 22:14:44 -0800 (PST)
Cc: brett@lariat.org (Brett Glass),
	dillon@apollo.backplane.com (Matthew Dillon),
	imp@village.org (Warner Losh),
	avalon@coombs.anu.edu.au (Darren Reed), security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > I'd certainly like to see this extended to RST. We can optimize socket
> > searching and prevent TCP from sending RSTs (or anything!) to multicast
> > addresses at the same time. (We probably also want to block RECEIVED TCP
> > packets from multicast addresses, as Wes suggests.)
> 
> So what needs to be done is:
> 
> (a) drop all multicast packets that reach the tcp stack.
> (b) extend ICMP_BANDLIM to RST packets, and
> (c) avoid sending anything tcp to a multicast address
> 
> Do I forget something here?

(d) Audit the whole ip stack top to bottom for conformance to rfc, and
    good coding practices like bounds checking, and invalid data handling.

(Your (a) above is invalid data between the ip layer and tcp, handled at
either output from ip or as input to tcp in the upwards stack direction,
and (c) is output from tcp to ip in the downward stack direction.)

There is also a nice bandwidth limiter that can be apply to almost any 
packet by using dummynet, just write your filter carefully :-)

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message