lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 28 Jun 2010 20:01:05 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	joakim.tjernlund@...nsmode.se
Cc:	eric.dumazet@...il.com, netdev@...r.kernel.org,
	shemminger@...tta.com
Subject: Re: [PATCH net-next-2.6] ipv4: sysctl to block responding on down
 interface

From: Joakim Tjernlund <joakim.tjernlund@...nsmode.se>
Date: Tue, 29 Jun 2010 01:30:26 +0200

> This is an strict interpretation of the weak host model and does not
> answer my questions. Mind to elaborate why such a strict view and
> what is gained by answering on an IP address which has been "downed"?

IP addresses are never "downed" just as your default route is not
"downed" when you take down an interface.

Rather, hosts are configured with an IP address and when they are so
configured they respond to it and can generate local application
sourced packets with that IP address as a source.

And what this means is that even in situations where hosts are
slightly mis-configured communication between them can still be
possible.  That's the goal of the weak host model, to get a host
respond to IP datagrams in every situation where such an act is
plausible.

All of the design decisions we've made in the networking in this area
are meant to increase the likelyhood of successful communication
between two hosts.

And in the 10+ years this behavior has existed, I know for sure that
people have ended up with a working networking because of the way we
do things.

So from that perspective it doesn't matter one iota what you or any
other particular entity wish things to be, since 10+ years of having
this behavior is ingrained enough that changing it is guarenteed to
break someone's setup so we absolutely can't do it.

This topic comes up at least once every few months, therefore someone
should post a FAQ somewhere because it's tiring to explain over and
over again why this is a good design decision and why the default
behavior is never going to change.

The RFCs allow both models equally, and just because many other
system does things the other way doesn't make it any better or more
valid than what Linux is doing.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists