now that we have first implementation i think it's time for rob thomas to start monitoring who has deployed it and who not :))))) -- deejay
-----Original Message----- From: bmanning@karoshi.com [mailto:bmanning@karoshi.com] Sent: 1. apríla 2003 19:40 To: nanog@nanog.org Subject: Re: RFC3514
Well, you weren't taking it seriously, I hope. lol
-Jack
------------------------- get it while its hot.... -----------------
Subject: cvs commit: src/sbin/ping ping.8 ping.c src/share/man/man4 inet.4 ip.4 src/sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h src/usr.bin/netstat inet.c Date: Tue, 1 Apr 2003 00:21:44 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
mdodd 2003/04/01 00:21:44 PST
FreeBSD src repository
Modified files: sbin/ping ping.8 ping.c share/man/man4 inet.4 ip.4 sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h usr.bin/netstat inet.c Log: Implement support for RFC 3514 (The Security Flag in the IPv4 Header). (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)
This fulfills the host requirements for userland support by way of the setsockopt() IP_EVIL_INTENT message.
There are three sysctl tunables provided to govern system behavior.
net.inet.ip.rfc3514:
Enables support for rfc3514. As this is an Informational RFC and support is not yet widespread this option is disabled by default.
net.inet.ip.hear_no_evil
If set the host will discard all received evil packets.
net.inet.ip.speak_no_evil
If set the host will discard all transmitted evil packets.
The IP statistics counter 'ips_evil' (available via 'netstat') provides information on the number of 'evil' packets recieved.
For reference, the '-E' option to 'ping' has been provided to demonstrate and test the implementation.
Revision Changes Path 1.47 +4 -2 src/sbin/ping/ping.8 1.92 +13 -1 src/sbin/ping/ping.c 1.21 +11 -0 src/share/man/man4/inet.4 1.29 +9 -0 src/share/man/man4/ip.4 1.75 +2 -0 src/sys/netinet/in.h 1.59 +1 -0 src/sys/netinet/in_pcb.h 1.22 +1 -0 src/sys/netinet/ip.h 1.232 +14 -0 src/sys/netinet/ip_input.c 1.181 +28 -1 src/sys/netinet/ip_output.c 1.72 +1 -0 src/sys/netinet/ip_var.h 1.57 +1 -0 src/usr.bin/netstat/inet.c
----- End forwarded message:
The linux patch at http://www.version6.net/patches/linux-2.4.20-rfc3514.dif has also been out since early April 1st. Pete ----- Original Message ----- From: "Tomas Daniska" <tomas@tronet.com> To: <bmanning@karoshi.com>; <nanog@nanog.org> Sent: Wednesday, April 02, 2003 9:36 AM Subject: RE: RFC3514 now that we have first implementation i think it's time for rob thomas to start monitoring who has deployed it and who not :))))) -- deejay
-----Original Message----- From: bmanning@karoshi.com [mailto:bmanning@karoshi.com] Sent: 1. apríla 2003 19:40 To: nanog@nanog.org Subject: Re: RFC3514
Well, you weren't taking it seriously, I hope. lol
-Jack
------------------------- get it while its hot.... -----------------
Subject: cvs commit: src/sbin/ping ping.8 ping.c src/share/man/man4 inet.4 ip.4 src/sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h src/usr.bin/netstat inet.c Date: Tue, 1 Apr 2003 00:21:44 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
mdodd 2003/04/01 00:21:44 PST
FreeBSD src repository
Modified files: sbin/ping ping.8 ping.c share/man/man4 inet.4 ip.4 sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h usr.bin/netstat inet.c Log: Implement support for RFC 3514 (The Security Flag in the IPv4 Header). (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)
This fulfills the host requirements for userland support by way of the setsockopt() IP_EVIL_INTENT message.
There are three sysctl tunables provided to govern system behavior.
net.inet.ip.rfc3514:
Enables support for rfc3514. As this is an Informational RFC and support is not yet widespread this option is disabled by default.
net.inet.ip.hear_no_evil
If set the host will discard all received evil packets.
net.inet.ip.speak_no_evil
If set the host will discard all transmitted evil packets.
The IP statistics counter 'ips_evil' (available via 'netstat') provides information on the number of 'evil' packets recieved.
For reference, the '-E' option to 'ping' has been provided to demonstrate and test the implementation.
Revision Changes Path 1.47 +4 -2 src/sbin/ping/ping.8 1.92 +13 -1 src/sbin/ping/ping.c 1.21 +11 -0 src/share/man/man4/inet.4 1.29 +9 -0 src/share/man/man4/ip.4 1.75 +2 -0 src/sys/netinet/in.h 1.59 +1 -0 src/sys/netinet/in_pcb.h 1.22 +1 -0 src/sys/netinet/ip.h 1.232 +14 -0 src/sys/netinet/ip_input.c 1.181 +28 -1 src/sys/netinet/ip_output.c 1.72 +1 -0 src/sys/netinet/ip_var.h 1.57 +1 -0 src/usr.bin/netstat/inet.c
----- End forwarded message:
participants (2)
-
Petri Helenius -
Tomas Daniska