"Andrew Sullivan" <ajs@crankycanuck.ca> writes:
> On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote:
>>
>> Is it easy to spoof where an incoming connection request is coming from?
>> Is there something else that makes ident on 127.0.0.1/32 insecure?
>
> It shouldn't be easy. Ident uses TCP, which is rather harder to
> spoof.
Say what? It's actually quite easy to spoof TCP. There are even command-line
tools to do it available in most Unix distributions.
> If someone can originate spoofed TCP packets from 127.0.0.1, you gots bigger
> problems than them being able to lie about the identity of a user.
Well yes, there are other insecure services which look at the originating ip
address. But hopefully fewer and fewer as time goes on. Once upon a time X was
a big target since most X servers shipped trusting 127.0.0.1 and you could
slip a request into the first data packet to trust other ip addresses which
made attacking it considerably easier. These days X doesn't use ip addresses
to handle authorization any more.
Also modern distributions, at least on Linux, tend to install ip filters to
block packets with source addresses like 127/8 coming from an external
interface. However even today I wouldn't be confident that all operating
systems do so or that they work correctly in all circumstances.
-- Gregory Stark EnterpriseDB http://www.enterprisedb.com
