Woody <[EMAIL PROTECTED]> wrote:
>We believe there to be a serious security flaw in the TCP/IP stack of
>several Unix-like operating systems. Whilst being "known" behavior on
>technical mailing lists, we feel that the implications of this
>"feature" are unexpected. Furthermore, not all platforms behave in the
>same way, which will obviously lead to invalid expectations.
[detailed description snipped]
I am surprised to see this described as a flaw. It is behavior I
have been relying on for some time. Specifically, on my client
machines, I add a route to the alternate interface of my servers via
the direct interface of the same server. This allows direct
connection to the server without relying on a router, regardless of
which IP address is used for the service. For NFS clients, I
consider it important to be able to do this.
If there is a flaw, it is surely in the thinking of people who
mistakenly assumed that multi-homed systems would not behave so as to
allow this.
The original message states
>At the moment, any machine which has either:
>o services running on the loopback interface
>o two or more external interfaces
>must be configured, using a firewall, to drop IP packets arriving from
>the wrong network in order to be secure. This is commonly not the
>case.
This is surely an overstatement. I expect that there are many
multi-homed servers which offer the same network services on each
interface. There do not appear to be any security issues in such
cases.
-NWR
