From owner-doc-jp@jp.freebsd.org  Wed Jul 12 07:53:36 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id HAA40296;
	Wed, 12 Jul 2000 07:53:36 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp02.246.ne.jp (smtp02.246.ne.jp [210.253.192.36])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id HAA40291
	for <doc-jp@jp.freebsd.org>; Wed, 12 Jul 2000 07:53:36 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 6894 invoked by alias); 12 Jul 2000 07:53:36 +0900
Message-ID: <20000711225336.6893.qmail@smtp.246.ne.jp>
Received: (qmail 6880 invoked from network); 12 Jul 2000 07:53:34 +0900
Received: from tp4hr186.246.ne.jp (HELO localhost) (210.253.193.186)
  by smtp.246.ne.jp with SMTP; 12 Jul 2000 07:53:34 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000710134328.19713.qmail@smtp.246.ne.jp>
References: <20000622215052.D642E37BF12@hub.freebsd.org>
	<20000710134328.19713.qmail@smtp.246.ne.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Wed, 12 Jul 2000 07:53:33 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7529
Subject: [doc-jp 7529] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:23.ip-options
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

revised $B:9J,(B:

--- FreeBSD-SA-00-23.BAK	Wed Jul 12 07:43:36 2000
+++ FreeBSD-SA-00-23	Wed Jul 12 07:42:54 2000
@@ -2,11 +2,12 @@
 FreeBSD-SA-00:23                                           Security Advisory
                                                                 FreeBSD, Inc.
 
-Topic:		Remote denial-of-service in IP stack
+Topic:		Remote denial-of-service in IP stack [REVISED]
 
 Category:	core
 Module:		kernel
 Announced:	2000-06-19
+Revised:	2000-07-11
 Affects:	FreeBSD systems prior to the correction date
 Credits:	NetBSD Security Advisory 2000-002, and
 		Jun-ichiro itojun Hagino <itojun@kame.net>
@@ -37,7 +38,25 @@
 
 IV.  Workaround
 
-None available.
+Incoming packets containing IP Options can be blocked at a perimeter
+firewall or on the local system, using ipfw(8) (ipf(8) is also capable
+of blocking packets with IP Options, but is not described here).
+
+The following ipfw rules are believed to prevent the denial-of-service
+attack (replace the rule numbers '100'-'103' with whichever rule
+numbers are appropriate for your local firewall, if you are already
+using ipfw):
+
+ipfw add 100 deny log ip from any to any ipopt rr
+ipfw add 101 deny log ip from any to any ipopt ts
+ipfw add 102 deny log ip from any to any ipopt ssrr
+ipfw add 103 deny log ip from any to any ipopt lsrr
+
+Note that there are legitimate uses for IP options, although they are
+no believed to be in common use, and blocking them should not cause
+any problems. Therefore the log entries generated by these ipfw rules
+will not necessarily be evidence of an attempted attack. Furthermore,
+the packets may be spoofed and have falsified source addresses.
 
 V.   Solution
 
@@ -62,6 +81,11 @@
 http://www.freebsd.org/handbook/kernelconfig.html and reboot the
 system ]
 
+VI.   Revision History
+
+v1.0  2000-06-19  Initial release
+v1.1  2000-07-11  Note workaround using ipfw.
+
     Index: ip_icmp.c
     ===================================================================
     RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
@@ -133,5 +157,5 @@
      				goto bad;
      		}
      		switch (opt) {
-    
- 
+
+

----
$B$3$,$h$&$$$A$m$&(B
