Subject: Re: illegal network routes and a ponderance
To: None <tech-net@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 02/21/2003 19:34:27
>> Or rather, for illusion-of-security reasons. There's not that much
>> software left that makes security decisions based on packets' source
>> addresses, and such software has always been buggy.
> Sendmail, relay checks.
Ugh, good point. And - at least in the code I just looked at, which
admittedly is probably not the most recent - sendmail doesn't disable
any source-route option that's present.
> Do you really want to turn your machine into an open-relay by
> allowing source routing?
No, I don't want to turn my machine into an open relay at all - but the
right thing to do is not to disable source routing, but to fix sendmail
(or run something else, something that _does_ know that peer IP
addresses cannot be trusted unless any source-route options have been
explicitly removed).
Fix the problem, don't break a useful facility to fix the symptom.
(Not that the facility is all that useful these days, given the large
numbers of people who already have broken it....)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B