lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] Security implemented in LWIP

From: Piero 74
Subject: Re: [lwip-users] Security implemented in LWIP
Date: Wed, 28 Jan 2009 12:43:22 +0100
Hi


we performed pretty thorough Tests with the Stack (including the usual stuff like SYN-Floods) and found the TCP Options-bug.

Where? Is it a lwip bug? is it already solved in current cvs? (i'm using last 1.3.0 release)
 

I would give LwIP a pretty good grade there. The Stack itself is very robust.

good!
 

The problematic part is always the driver implementation. And that is where LwIP could provide more help to developers (more documentation, tips, hints, best practices).
Because timing issues, flooding issues and all that stuff all arise in the driver. If your driver is not secure, the stack can't help crashing.

So debug your driver while under SYN flood and you'll probably find something overflowing.

which tool i can use to simulate a flood attack and debug the driver and the stack?
 

Now on to the topic of filtering. Filtering packets in the MAC layer by whitelisting IPs is pretty much nonsense. It's basically the same simulation of security as MAC-ACLs in Wireless routers. An IP can easily be spoofed just like a MAC can. Building extensive packet filtering options and configuration options into LwIP will only increase complexity and code size. And if you want filtering on the lowest level it will be a driver issue anyways.

yes... i want to filer in the driver, not in lwip.. and i know... it is not a definitive solution, but can mitigate the problem.
 

Network-security is a very complex topic and you can't try to make a single device ultra-secure and then never worry again. The whole network has to be taken into account. Also there are no statements about it that are correct under every circumstance (like using UDP because it's simpler).
You cannot judge the security of a device by the IP stack alone.

To close: you should probably never expose a device with such low resources that it uses a minimal Stack like LwIP _directly_ to the internet. This WILL starve your resources and DoS your device.
Packet-filtering should be done by appliances that are built for that. Firewalls, VPN-Tunnels, ...

yes.... i said the same thing to our marketing.... "put the device behind a firewall!!".... but the answer was... security features inside the device are good marketing arguments.... :O|

Bye
Piero
 

reply via email to
[Prev in Thread] Current Thread [Next in Thread]