we performed pretty thorough Tests with
the Stack (including the usual stuff like SYN-Floods) and found the TCP
Options-bug.
Where? Is it a lwip bug? is it already solved in current cvs? (i'm using last 1.3.0 release)
I would give LwIP a pretty good grade
there. The Stack itself is very robust.
good!
The problematic part is always the driver
implementation. And that is where LwIP could provide more help to developers
(more documentation, tips, hints, best practices).
Because timing issues, flooding issues
and all that stuff all arise in the driver. If your driver is not secure,
the stack can't help crashing.
So debug your driver while under SYN
flood and you'll probably find something overflowing.
which tool i can use to simulate a flood attack and debug the driver and the stack?
Now on to the topic of filtering. Filtering
packets in the MAC layer by whitelisting IPs is pretty much nonsense. It's
basically the same simulation of security as MAC-ACLs in Wireless routers.
An IP can easily be spoofed just like a MAC can. Building extensive packet
filtering options and configuration options into LwIP will only increase
complexity and code size. And if you want filtering on the lowest level
it will be a driver issue anyways.
yes... i want to filer in the driver, not in lwip.. and i know... it is not a definitive solution, but can mitigate the problem.
Network-security is a very complex topic
and you can't try to make a single device ultra-secure and then never worry
again. The whole network has to be taken into account. Also there are no
statements about it that are correct under every circumstance (like using
UDP because it's simpler).
You cannot judge the security of a device
by the IP stack alone.
To close: you should probably never
expose a device with such low resources that it uses a minimal Stack like
LwIP _directly_ to the internet. This WILL starve your resources and DoS
your device.
Packet-filtering should be done by appliances
that are built for that. Firewalls, VPN-Tunnels, ...
yes.... i said the same thing to our marketing.... "put the device behind a firewall!!".... but the answer was... security features inside the device are good marketing arguments.... :O|
Bye
Piero