Martin A. Brown wrote:
Eli,
: > > Now I bring host B's ib1 interface down
: > > (ifconfig ib1 down) and I expect that the interface's IP address will no
: >
: > > longer exists.
: >
: > This would be an incorrect assumption.
: >
: > Deleting an address and preventing traffic on an interface are two
: > different operations. As long as there is a route, through any
: > interface, all addresses identify the same machine and will be
: > delivered. This isn't Linux-specific behavior.
:
: But the interface is now down. And suppose I would bring ib1 down
: on host B and at the same time assign its IP address to another
: interface on host C (this is legal isn't it?). Where would the
: packets go then?
This might very well be Linux-specific behaviour. I would encourage
you to read the iproute2 documentation and compare the output of "ip
address show" with your expectations.
When you bring an interface down, the IP address is still listed on
that interface. If the system has another link to the network, the
IP address on the "downed interface" is still reachable. Some
people view this as counterintuitive behaviour, but this reflects a
core decision within the kernel's networking stack:
IP addresses are associated with the host.
And Linux continues to do this in spite of the fact that virtually all
other operating systems don't have this bug. And bug it is, a firewall
will by default allow machines on subnet A (on NIC A) to access
addresses on subnet B (NIC B) even thought there's no such IP on NIC A.
It requires iptables firewall rules to close this hole.
It wouldn't be so bad if there was an option to provide security by
default via sysctl, but there just doesn't seem to be, and patches to
fix this have been rejected. Even the option to disable ARP response on
NICs with no matching address was resisted (don't remember the details,
sorry).
And if you want packets with source IP a.b.c.d to go out the NIC which
bears that IP, you better start writing source routing rules, because if
you have multiple paths to the destination IP a path will be chosen at
random, which best case results in using the wrong NIC and in the worst
case having the gateway for the wrong NIC reject the packet for having a
spoofed source IP.
I don't object to having an insecure mode, and I can live with it being
the default, but I sure wish there was a simple way to make multi-homed
machines operate in a sensible manner. In many cases I have a low speed
backup link on a machine, and a raft of rules to keep it from being used
if the normal link is up.
Sorry to vent, this has pissed me off since 2.3 days.
--
bill davidsen <davidsen@xxxxxxx>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
