[30132] in North American Network Operators' Group
Re: Strange things which should never happen (was Re: RFC 1918)
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Jul 16 12:22:43 2000
Message-Id: <4.2.2.20000716121006.032b44e0@ianai.net>
Date: Sun, 16 Jul 2000 12:19:35 -0400
To: nanog@merit.edu
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <20000715151527.B10802@isite.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 03:15 PM 7/15/00 -0700, Joe Rhett wrote:
>> >I don't know my TCP/IP stack well enough, but what happens when a host
>> >with multiple interfaces, one of which is assigned an RFC1918 address,
>> >receives an packet through another interface with a source address the
>> >same RFC1918 address. Are the stacks smart enough to realize the packet
>> >is really an external packet, or will they assume the packet came from
>> >inside.
>
>> Nope - at least none of the ones I have seen.
>
>Hate to disagree, but all modern security-aware OSes can now be configured
>to validate which interface a packet should be received on. If the packet
>comes from a different interface it is generally dropped.
>
>In solaris, the option are:
>
> ip_strict_dst_multihoming
> and
> ip6_strict_dst_multihoming
I was under the impression that hosts only check the *destination* IP
address. Feel free to correct me if I am mistaken (as I am sure 472 of you
will do :).
Sean was asking about packets with a *source* address in a subnet which is
on another one of their interfaces. So we are looking at a host which has,
for instance, 1.1.1.1/24 on e0 and 2.2.2.2/24 on e1. If a packet hits e0
with a destination address of 1.1.1.1 and a source address of 2.2.2.10, why
would the host reject it? The destination address is correct, and the
packet was routed to the correct interface.
I think Sean is worried about the response to that packet. The host might
send the reply/ACK/return/whatever packet out the second interface. If the
e1 is addressed with RFC1918 space, and the packet were sourced from an
RFC1918 address in another network, the reply would obviously go to the
wrong location. If someone knew your internal network well enough, this
might even be used as a form of DoS attack.
>Joe Rhett Chief Technology Officer
TTFN,
patrick
