Julian Elischer wrote: > On Thu, 6 May 2004, David W. Chapman Jr. wrote: > >>> We are using RR option all the time to track down routing >>> asymmetry and traceroute is not an option, ping -R is very useful >>> in that cases. We all know that ipfw (and I am sure all other >>> *pf*) is able to process ip opts quite well and personally see no >>> point in this sysctls. I fail to see a documentation update >>> (inet.4 ?) as well. >>> >>> It is not clear for me why you ever ask for opinions after commit >>> not before. Strick "nay" if you care :-) >> >> He hasn't changed the default yet. But I think for the select few >> who actually use such tcp options, they can enable it. Most of >> the users however will not need this. I think the point that is >> trying to be made is that they want the default installation to be >> more secure and those who need these features can simply turn them >> on. > > what security problem are you expecting? Isn't that irrelevant? If 99.99% of the FreeBSD users don't need ip options, why should they be honored by default? Just because we can't think of a security issue at the moment doesn't mean one won't show up in the future. But in the interest of POLA, I would vote for the default to be 0 (just ignore the option and pass packet unmodified). And regardless of the outcome, please mention this somewhere in the networking section of the FreeBSD handbook. Richard Coleman richardcoleman_at_mindspring.comReceived on Thu May 06 2004 - 15:29:59 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:53 UTC