Author: Kev <klmitch@mit.edu>
Log message:
Code to disable IP options was removed early on in the u2.10.11 release
cycle, apparently due to a misunderstanding of what the code was trying to
accomplish. There are only a handful of IP options available today, and
none of them affect performance...whereas some (namely, source routing) can
affect security. The code that was removed (and which is added back in
this patch) disables those options. When a source route is removed, the
spoofed origin can't receive packets from the server. If the source route
were *not* removed, a spoofer would receive the anti-spoof ping, and thus
be able to return it, re-opening the IP spoof attack. Note: This does not
affect TCP options; those are critical to performance, but they are only
interpreted by the TCP layer, and thus are enclosed in the TCP-controlled
portion of the IP packet. IP options are contained in the IP header.
git-svn-id: file:///home/klmitch/undernet-ircu/undernet-ircu-svn/ircu2/trunk@539
c9e4aea6-c8fd-4c43-8297-
357d70d61c8c