Henrik Nordstrom wrote:
> There is a Fedora user request for proper support of odd netmasks in IP
> acls: https://bugzilla.redhat.com/show_bug.cgi?id=470709
>
> Quote from Fedora bug report:
>
> Any valid network mask should be usable, especially as there
> appears to be an increasing tendency for very large corporations
> to deliberately choose odd IP address combinations in an effort
> to frustrate people who legitimately wish to secure their
> computers.
>
> Which is counter to our plan or removing support for "odd" netmasks.
>
> Any comments or suggestions?
1) Odd netmasks break Internet routing table design. This is a minor
issue in IPv4, but with IPv6 space being larger it becomes a critical flaw.
2) Netmasks are a deprecated Internet protocol. CIDR, the replacement,
is 15 years old as an RFC. Time for the non-conformists to upgrade both
their topology and security systems.
3) Keeping and passing old-style netmasks doubles the Squid memory usage
for mask info addresses. The netmask deprecation goal was solely to
reduce that footprint.
>
> The bug report as such is about things failing silently when odd
> netmasks is used.
Easy enough to make it noisy :-)
>
> My suggestion is that we continue supporting odd netmasks, but move
> these to a linked list, parallell to the splay tree, giving the IP
> mathes a dual personality of both splay tree and linked list based on
> the type of element added.
A lot of complication to placate people who are breaking the Internet
routing scheme for their own flawed attempts at security.
Such netmask foolery is already supported and can be implemented with
nested CIDR rules for ACL. It's just a highly complicated config for the
fools who try it.
The problem only pops up for config entries which are a single mask (ie
wccp router mask, client IP mask).
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1Received on Mon Nov 10 2008 - 00:41:06 MST
This archive was generated by hypermail 2.2.0 : Mon Nov 10 2008 - 12:00:04 MST