| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100612092748.5fed4baf@lk-netdev.nosense.org> Date: Sat, 12 Jun 2010 09:27:48 +0930 From: Mark Smith <lk-netdev@...netdev.nosense.org> To: Joakim Tjernlund <joakim.tjernlund@...nsmode.se> Cc: Rick Jones <rick.jones2@...com>, netdev@...r.kernel.org Subject: Re: Weak host model vs .interface down On Fri, 11 Jun 2010 21:41:45 +0200 Joakim Tjernlund <joakim.tjernlund@...nsmode.se> wrote: > Rick Jones <rick.jones2@...com> wrote on 2010/06/11 19:13:42: > > > > > The weak model doesn't go into such detail, it is assumption/impl. detail > > > to assume that the ip address still is part of the system even when the interface > > > is down. One could just as well define interface down as temporarly removing > > > the IP address from the system too. This makes make much more sense to me and > > > if you always want the system to answer on a IP adress you make it an IP alias. > > > > > > Since the current behaviour is a problem to me and routers in general, can > > > we change this? What is the current usage model which needs it to stay as is? > > > > Router != end-system so I wouldn't think the weak or strong end-system model > > would apply to a router. I think Stephen already posted a patch to allow that > > for when one's box was a router rather than an end-system. > > Not really an anwser to what I was asking but I choose to read that as > you agree with me. The rest is an impl. detail. :) > Stephen's patch is good but I would not mind making I/F down removing the > IP address from the system unconditionally. > I've asked the same question a few years back and got the same answer. I accept the strong host / weak host argument, however I've also thought about the problem a bit more, and why people get confused about it. The problem is the mental model. Assigning an IP address to an interface implies that the IP address as attached and associated with the interface and therefore the state of the interface. That is certainly the case for people like me who work with networking equipment, typically routers, which follow the strong host model. It is very convenient to know that by shutting down an interface the associated IP address stops working too. Other measures, such as ACLing, or writing down and deleting and then having put it back, are relatively much more effort and error prone. While I'm sure past operational history is likely to make this impractical, it would be far more intuitive for weak host model IP address assignments to be made to a single, forced always up virtual interface on the host, and strong host IP address assignments made to any other "non-weak host" interfaces. It'd be an interesting experiment to see if loopback could be used as a "host interface" in the weak host model. Regards, Mark. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists