On Sat, Sep 01, 2001 at 12:57:08PM +0200, YOSHIFUJI Hideaki / ?$B5HF#1QL@?(B
wrote:
> In article <20010901122229.64064@xxxxxxxxxxxx> (at Sat, 1 Sep 2001 12:22:29
> +0200), Andi Kleen <ak@xxxxxx> says:
>
> > On Sat, Sep 01, 2001 at 01:14:11AM +0200, David Stevens wrote:
> > > ip6_forward() has the following two lines:
> > >
> > > if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
> > > goto error;
> > >
> > > Aside from the other issue of per-interface forwarding :-), this appears
> > > to allow
> > > forwarding of source-routed packets even when the node is a host, only.
> > > That
> > > seems to be a security hole to me. Suppose you have a multihomed host, or
>
> > > if (ipv6_devconf.forwarding == 0)
> > > goto error;
> >
> > Definitely.
>
> NO. In IPv6, even a node is not a router (i.e. it is a host),
> it MUST forward source routed packet. So,
I would still agree with David that it is a security hole (at least without
a working ipsec infrastructure)
Even if the Spec says otherwise this hole should be closed.
-Andi
|