jbvb@VAX.FTP.COM (James Van Bokkelen) (11/17/88)
A while back, I was working on IP option support for PC/TCP, and re-discovered another "bug that everybody knows about" in 4.2 IP option handling. I have demonstrated an ability to crash a number of 4.2-derived commercial products from far, far away, with legal IP datagrams that gateways probably won't filter. I posted about this, asking if people wanted me to test against their systems, and got a total of about 3 replies, none from vendors. Another area that "everybody knows about" is TFTP. Our Unix's TFTP is picky about who it will take connections from (as a locally-installed side effect of using a TFTP that conforms to the specifications, instead of the broken 4.2 version the vendor gave us). Who else has taken care of this? I first heard of the FTPD bug at Interop in December, 1987. None of the people who were talking about it were giving details, because they were afraid someone would use it before it could be fixed. Hi ho. If I can get sued for negligence for not padlocking the gate to my home's swimming pool, I don't think you can call it justice to imprision or even fine Mr. Morris. There is a lot of knowlege out there, but many vendors don't share in it, because they are isolated, or understaffed, or trying to put out other fires first. RFC 1009 and the "Requirements for Internet Hosts" draft are a good start, but it will take sophisticated, energetic customers to make the network an equal priority with the text editor for most vendors. I had hoped that the Interop show-net would be a place where we could get some serious testing done, but it came up too late in the day before the crowd showed up, and many vendors didn't bring their coders. Some people did testing of upper-layer protocols, but I couldn't hack IP options, because the result of my finding a bug was quite likely to be a system crash.... James VanBokkelen FTP Software Inc.