lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150216101309.GB25792@faui40p.informatik.uni-erlangen.de>
Date:	Mon, 16 Feb 2015 11:13:10 +0100
From:	Toerless Eckert <tte@...fau.de>
To:	Sowmini Varadhan <sowmini05@...il.com>
Cc:	Bill Fink <billfink@...dspring.com>,
	Cong Wang <cwang@...pensource.com>,
	netdev <netdev@...r.kernel.org>
Subject: Re: vnet problem (bug? feature?)

On Sun, Feb 15, 2015 at 04:16:21PM -0500, Sowmini Varadhan wrote:
> RPF !=  strong/weak ES models defined in Section 3.3.4.2 of rfc1122.

Agreed on the RFC definition, but not on the model. RP filtering makes
it more difficult, if not impossible to a weak-host. Consider the multi-homed
host that's attached such that it would receive packets for one of its addresses
from different interfaces. RP filtering throws away those packet from all but
one interface (just talking unicast hee for the sake of the argument).

> RPF is about ingress filtering (rfc 3704) and verifying that the return
> path to the src addr of the packet would go out on the same interface
> it came on. The wiki page on Reverse_path_forwarding has some detail.

rfc3704 does mention multicast only on the side, so i would claim Fred did
primarily think about unicast, and the whole text is also targeted for ISPs
== routers, not for RPF filtering on actual multi homed hosts.

Of course, RPF filtering for multicast has been traditionally used in
almost all relevant routing protocols, but again: thats only on routers,
and AFAIK in the distant past not on MHH.

I fail to find a good reference explaining why linux would default to
rp_filtering = 1 (more appropriate for routers) even if forwarding defaults to 0
(more appropriate for multi-homed hosts). 

Any ideas how to track back where this  choice came from ? 

Thanks!
    Toerless

> --Sowmini
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
---
Toerless.Eckert@...ormatik.uni-erlangen.de
/C=de/A=d400/P=uni-erlangen/OU=informatik/S=Eckert/G=Toerless/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ