9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
From: Gorka Guardiola Múzquiz <paurea@plan9.escet.urjc.es>
To: 9fans@cse.psu.edu
Subject: [9fans] plan9 security...
Date: Fri, 13 Feb 2004 15:04:29 +0100	[thread overview]
Message-ID: <ab8642526016f58ade156ffac050da2e@plan9.escet.urjc.es> (raw)

I was with some friend commenting on security in plan 9 and we found
some breach in security, at least the way it is used here.  I don't
know if this is a problem of the (awful) topology of our net or a real
breach.  Here we have a fileserver which serves the kernel for the
terminals on dhcp.  Terminals boot diskless.  The problem here is that
all the net taps in the University can form part of our subnet.  VPNs
are generated dinamically looking at the addresses which come from all
the taps.  The thing is that someone can do a DoS attack on
the fileserver, answer for it the dhcp request (it can be done from
any place on the University), and serve a tame kernel just to get the
passwords of the users.  We are studying the idea of signing somehow
the kernel with a net/host secret and adding support for it on 9load
to stop this happening.  Another solution would be to implement DHCP
authentication, but it may be much more complicated.

Would this be useful for any other person on the list?.  Do you think
it is a good solution?.  Ideas?.  Suggestions?.


			Gorka.



             reply	other threads:[~2004-02-13 14:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-13 14:04 Gorka Guardiola Múzquiz [this message]
2004-02-13 15:18 ` Dave Lukes
2004-02-14  4:05   ` boyd, rounin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab8642526016f58ade156ffac050da2e@plan9.escet.urjc.es \
    --to=paurea@plan9.escet.urjc.es \
    --cc=9fans@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).