> > Aliased (stacked) interfaces ARE NOT SECURE. Period. > > Indeed. I would like to see this emphasised more in the netfilter howtos & > tutorials. Multiple addresses on one interface are all very well, so long > as they exist within the same subnet; however anyone trying to use multiple > *network* addresses on one physical interface is defeating their security by > ignoring what the different OSI network layers mean. I want to add some qualification to these overstatements. Aliased interfaces do not inherently introduce any insecurity in cases where you don't care about subnet separation. For example, a hosting service that receives and uses a new address allocation not contiguous with its existing subnet is living with reality, not ignoring what the network layers mean nor defeating its security. (As an aside, the OSI model is really little more than a sometimes useful abstraction anyway. Twenty years ago it was already hard to relate to a corporate network that used both IP-encapsulated DECnet and DECnet-encapsulated IP. Today's networks abound with VPNs that muddle the OSI model.) -- Dick St.Peters, stpeters@xxxxxxxxxxxxx
