Firewalls: Re: source routing

Firewalls
(June 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: source routing
From:	jsz @ ramon . bgu . ac . il
Date:	Tue, 7 Jun 94 2:26:12 IDT
To:	lakind1 @ qmsmtpgw . mugu . navy . mil (Doug Lakin)
Cc:	brent @ greatcircle . com, firewalls @ greatcircle . com
In-reply-to:	<9406062139 . AA18375 @ mugu . navy . mil>; from "Doug Lakin" at Jun 6, 94 2:37 pm

> 
> # I've heard that source routing is dangerous security-wise.  Can
> # someone please explain what it is and why it's dangerous?  Thanks.
> 
> brent @
 GreatCircle .
 COM (Brent Chapman) writes:
> 
> >Source routing is not that dangerous in and of itself.  The problem
> >is, some "routers" (generally UNIX machines with multiple interfaces,
> >not dedicated boxes specificly designed to be routers) will always
> >forward source-routed packets, even if IP forwarding (normal routing)
> >is supposedly turned off.
> 
> I have also heard that some earlier router software suffered from the same
> disease.  Could you summarize which UNIX OS and versions have the problem, as
> well as any known patches?
> 
> 

As far as I can tell -- source routing is supported by default on Solaris 2.X;
IRIX 4.0.X through 5.2; SunOS 4.1.X has ip_forwarding off, but source-routing
on it is somewhat broken, AIX 3.2.X also supports source-routed packets 
properly as well, don't know much about Linux, or NetBSD, but most likely
they supposedly have it on as well, Ultrix has it turned on too, so 
almost every "daemon" that uses tcp packets is vulnerable --
basically "bad guys" can use a fake address and the tcp port will let them
get by any address based authentication. (tcp port -- ie ypserv (with/or 
without "securenets" patch, mountd/tcp, nfsd, portmapper, rshd, rlogind,
telnetd, and what not..)

Weirdly, ciscos pass source routed packets on (by default), though
the cisco routers have a "no ip source-route" configuration option which
you may want to set in your router (if you use cisco, of course)
However, when loose source routing is used, the machine sees telnet 
packets with destinations that are legal machines within your subnet.
Without the destination address being that of the router it does not seem
to examine the options field of the packet, so the packet is sent on. 
Though it'd partly resolve the problem -- this clause would quite 
effectively block strict source routing because the router would have to
be specified in one of the hops. 

Cheers,

.jsz.

Follow-Ups:

Re: source routing
From: Craig Metz <cmetz @ thor . tjhsst . edu>

References:

Re: source routing
From: "Doug Lakin" <lakind1 @ qmsmtpgw . mugu . navy . mil>

Indexed By Date	Previous:	www-proxy mailing list information From: altis @ ibeam . intel . com (Kevin Altis)
Indexed By Date	Next:	Re: source routing From: Craig Metz <cmetz @ thor . tjhsst . edu>
Indexed By Thread	Previous:	Re: source routing From: "Doug Lakin" <lakind1 @ qmsmtpgw . mugu . navy . mil>
Indexed By Thread	Next:	Re: source routing From: Craig Metz <cmetz @ thor . tjhsst . edu>