[LINK] New security RFC from the IETF

Andy Farkas andyf at speednet.com.au
Wed Apr 2 12:46:00 EST 2003 

On Tue, 1 Apr 2003, James Morris wrote:

> 3514 The Security Flag in the IPv4 Header. S. Bellovin. 1 April 2003.
>      (Format: TXT=11211 bytes) (Status: INFORMATIONAL)
>
> ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt
>
>
>
> - James
> --
> James Morris
> <jmorris at intercode.com.au>
>

Hehe... I suggested this be implemented in FreeBSD. It was:

<quote>

*From mdodd at freebsd.org Wed Apr  2 12:35:27 2003
Date: Tue, 1 Apr 2003 00:21:44 -0800 (PST)
From: Matthew N. Dodd <mdodd at freebsd.org>
To: src-committers at freebsd.org, cvs-src at freebsd.org, cvs-all at freebsd.org
Subject: cvs commit: src/sbin/ping ping.8 ping.c src/share/man/man4 inet.4
    ip.4 src/sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h
    src/usr.bin/netstat inet.c

mdodd       2003/04/01 00:21:44 PST

  FreeBSD src repository

  Modified files:
    sbin/ping            ping.8 ping.c
    share/man/man4       inet.4 ip.4
    sys/netinet          in.h in_pcb.h ip.h ip_input.c ip_output.c
                         ip_var.h
    usr.bin/netstat      inet.c
  Log:
  Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
  (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

  This fulfills the host requirements for userland support by
  way of the setsockopt() IP_EVIL_INTENT message.

  There are three sysctl tunables provided to govern system behavior.

          net.inet.ip.rfc3514:

                  Enables support for rfc3514.  As this is an
                  Informational RFC and support is not yet widespread
                  this option is disabled by default.

          net.inet.ip.hear_no_evil

                   If set the host will discard all received evil packets.

          net.inet.ip.speak_no_evil

                  If set the host will discard all transmitted evil packets.

  The IP statistics counter 'ips_evil' (available via 'netstat') provides
  information on the number of 'evil' packets recieved.

  For reference, the '-E' option to 'ping' has been provided to demonstrate
  and test the implementation.

  Revision  Changes    Path
  1.47      +4 -2      src/sbin/ping/ping.8
  1.92      +13 -1     src/sbin/ping/ping.c
  1.21      +11 -0     src/share/man/man4/inet.4
  1.29      +9 -0      src/share/man/man4/ip.4
  1.75      +2 -0      src/sys/netinet/in.h
  1.59      +1 -0      src/sys/netinet/in_pcb.h
  1.22      +1 -0      src/sys/netinet/ip.h
  1.232     +14 -0     src/sys/netinet/ip_input.c
  1.181     +28 -1     src/sys/netinet/ip_output.c
  1.72      +1 -0      src/sys/netinet/ip_var.h
  1.57      +1 -0      src/usr.bin/netstat/inet.c
_______________________________________________
cvs-all at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe at freebsd.org"

</quote>

--

 :{ andyf at speednet.com.au

        Andy Farkas
    System Administrator
   Speednet Communications
 http://www.speednet.com.au/

More information about the Link mailing list