rp_filter; iptables; spoofing

David Trcka trcka na poda.cz
Úterý Červenec 9 10:13:08 CEST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Jul 2002, David Trcka wrote:

> Toto vysvetleni prosim berte s rezervou, je to uz delsi dobu, co jsem to 
> zjistoval, a tudiz nerucim za uplnou spravnost toho, co jsem tady napsal.
> 
Tedy abych to upresnil:

rp_filter - INTEGER
	2 - do source validation by reversed path, as specified in RFC1812
	    Recommended option for single homed hosts and stub network
	    routers. Could cause troubles for complicated (not loop free)
	    networks running a slow unreliable protocol (sort of RIP),
	    or using static routes.

	1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
	    that look as sourced at a directly connected interface, but
	    were input from another interface.
	    
	0 - No source validation. 

	NOTE: do not disable this option! All BSD derived routing software
	(sort of gated, routed etc. etc.) is confused by such packets,
	even if they are valid. When enabled it also prevents ip spoofing
	in some limited fashion.

	NOTE: this option is turned on per default only when ip_forwarding
	is on. For non-forwarding hosts it doesn't make much sense and 
	makes some legal multihoming configurations impossible.

RFC1812:

5.3.8 Source Address Validation

   A router SHOULD IMPLEMENT the ability to filter traffic based on a
   comparison of the source address of a packet and the forwarding table
   for a logical interface on which the packet was received.  If this
   filtering is enabled, the router MUST silently discard a packet if
   the interface on which the packet was received is not the interface
   on which a packet would be forwarded to reach the address contained
   in the source address.  In simpler terms, if a router wouldn't route
   a packet containing this address through a particular interface, it
   shouldn't believe the address if it appears as a source address in a
   packet read from this interface.

   If this feature is implemented, it MUST be disabled by default.

   DISCUSSION
      This feature can provide useful security improvements in some
      situations, but can erroneously discard valid packets in
      situations where paths are asymmetric.


O DHCP se tam nijak nezminuji, takze se bud nepredpoklada, ze na podobnych 
routerech pobezi DHCP server, nebo se to DHCP paketu netyka, nebo se to 
proste neresi.


- -- 
David Trcka, network administrator
PODA s.r.o. - Internet Service Provider
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9KpsWMNnAMG0b8P4RAlV4AKCGr7hzBTCdfMkithHa3mmpIBSFRwCeOXSI
woOw1AZU3N9+7f4XOtDyrsQ=
=2m2n
-----END PGP SIGNATURE-----

Další informace o konferenci Linux