2002-09-16 16:45:35

by tomc

[permalink] [raw]
Subject: Problem: RFC1166 addressing

RFC 1166 states that:


The class A network number 127 is assigned the "loopback"
function, that is, a datagram sent by a higher level protocol
to a network 127 address should loop back inside the host. No
datagram "sent" to a network 127 address should ever appear on
any network anywhere.

Linux does not enforce this. I have uncovered some users using this
function to attempt to circumvent the firewall. I am able to "create" 127
network traffic as follows:

Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]

Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]

Machine 2: ping 127.1.2.3

Packets move between the hosts. Also seems to work on Macintosh.





tc



2002-09-16 16:59:46

by Russell King

[permalink] [raw]
Subject: Re: Problem: RFC1166 addressing

On Mon, Sep 16, 2002 at 11:50:36AM -0500, [email protected] wrote:
> RFC 1166 states that:
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.

Things to note:

"should" != "must"

1166 Internet numbers. S. Kirkpatrick, M.K. Stahl, M. Recker.
Jul-01-1990. (Format: TXT=566778 bytes) (Obsoletes RFC1117, RFC1062,
RFC1020) (Status: INFORMATIONAL)
^^^^^^^^^^^^^^^^^^^^^ (not a standard)

RFC2119 defines should and must as:

1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.

3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.

> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create"
> 127 network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.

If your users have access to ifconfig, then they can also send out
whatever packets they want via raw network sockets, even packets that
appear to be coming from external IP addresses. Adding protection
into the kernel for 127/8 buys you nothing from a determined user
that has root.

I'd suggest configuring the firewall up correctly; deny traffic with
the 127/8 address being received via any non-loopback interface.

A good rule of thumb for firewalls: Deny everything. Then
explicitly specify what you want to let through.

--
Russell King ([email protected]) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html

2002-09-16 17:20:57

by Gerhard Mack

[permalink] [raw]
Subject: Re: Problem: RFC1166 addressing

On Mon, 16 Sep 2002 [email protected] wrote:

> Date: Mon, 16 Sep 2002 11:50:36 -0500
> From: [email protected]
> To: [email protected]
> Subject: Problem: RFC1166 addressing
>
> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
>
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create" 127
> network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.


I would call that a bug in the firewall rules. Depending on the hosts to
behave in such a way as to make life easier for the firewall makes for a
losing proposition.

Gerhard


--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.

2002-09-16 17:18:45

by Richard B. Johnson

[permalink] [raw]
Subject: Re: Problem: RFC1166 addressing

On Mon, 16 Sep 2002 [email protected] wrote:

> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.

I haven't tested this <yet>, but this is not mandatory because the
standard says "should". I know that some older versions of SunOs would
"announce" when they saw such an address on the wire. This was once
found to come from an incorrectly-configured INTERACTIVE Unix machine
here.

You will need root privs to use `ifconfig` and the same to write
raw packets from user-mode so I don't think you have a problem
with the kernel not, as you say, enforcing the standard. Of course,
of everybody has root, then they can do anything regardless of any
kernel enforcement. Just write raw packets claiming you are from
whitehouse.gov and you can rule the universe.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.18 on an i686 machine (797.90 BogoMips).
The US military has given us many words, FUBAR, SNAFU, now ENRON.
Yes, top management were graduates of West Point and Annapolis.

2002-09-16 17:28:54

by tomc

[permalink] [raw]
Subject: Re: Problem: RFC1166 addressing


You are correct sir. I was just quite surprised to find that it works,
and that I can reassign the 127 network to any interface I like.

tc



Gerhard Mack
<gmack@innerfi To: [email protected]
re.net> cc: [email protected]
Subject: Re: Problem: RFC1166 addressing
09/16/02 12:25
PM






On Mon, 16 Sep 2002 [email protected] wrote:

> Date: Mon, 16 Sep 2002 11:50:36 -0500
> From: [email protected]
> To: [email protected]
> Subject: Problem: RFC1166 addressing
>
> RFC 1166 states that:
>
>
> The class A network number 127 is assigned the "loopback"
> function, that is, a datagram sent by a higher level protocol
> to a network 127 address should loop back inside the host. No
> datagram "sent" to a network 127 address should ever appear on
> any network anywhere.
>
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create"
127
> network traffic as follows:
>
> Machine 1: ifconfig eth0:1 127.1.2.3 [ running kernel 2.2.14 ]
>
> Machine 2: ifconfig eth0:1 127.1.2.4 [ running kernel 2.4.19 ]
>
> Machine 2: ping 127.1.2.3
>
> Packets move between the hosts. Also seems to work on Macintosh.


I would call that a bug in the firewall rules. Depending on the hosts to
behave in such a way as to make life easier for the firewall makes for a
losing proposition.

Gerhard


--
Gerhard Mack

[email protected]

<>< As a computer I find your faith in technology amusing.




2002-09-16 22:58:56

by Alan

[permalink] [raw]
Subject: Re: Problem: RFC1166 addressing

On Mon, 2002-09-16 at 17:50, [email protected] wrote:
> Linux does not enforce this. I have uncovered some users using this
> function to attempt to circumvent the firewall. I am able to "create" 127
> network traffic as follows:

If you choose to configure that way they yes you can. Since any other
box on the net can also send/received 127.* packets make sure your
firewall is right 8)