VERY interesting - but security implications to others?!?
Posted Jan 31, 2006 23:27 UTC (Tue) by dwheeler
Parent article: Van Jacobson's network channels
This looks VERY interesting, and I expect that this WILL be implemented. I think this is (mostly) a very good idea.
But it appears to me that this has a dark side. Today, because the kernel assembles packets, then only trusted (root) programs can forge packets and create many kinds of funky attack packets. If user-level applications can create arbitrary packets, then ANYONE -- even untrusted applications -- can forge arbitrary packets and arbitrary attack packets.
Clearly, in some situations this wouldn't matter. But historically getting only "user privileges" limited what you could do, including having to give away your IP address and only being able to send certain kinds of packets. This gives a new weapon, not so much against the machine IMPLEMENTING the new approach, but against OTHER machines (whether or not they do so). Today, given only low privileges, you can't create funky packets (like Xmas tree ones) or total forgeries. Unless there are kernel-level checks or I misunderstand something, you CAN cause these problems.
Just imagine; a user-space app sends out a broadcast from 127.0.0.1, etc., etc. There's a LOT of mischief that's been limited to kernel-space programs before that this might expose.
I'd like to see an implementation automatically check the outgoing packets for certain properties as part of the kernel (e.g., valid sender IP and port address, etc.). But I fear that won't happen by default, because (1) that would take extra time, and (2) it only affects OTHER people. And I understand (though don't agree with) the other side of the coin: Yes, of course people who have root can send any packet. That's not my point. My point is that for a large, shared network to be useful, there needs to be a defense-in-depth so that attackers aren't automatically given the whole store when they get just a little privilege. This would kick away one of those mechanisms.
to post comments)