Quick Reference

Home
Alpine Linux Boot Process
libinput on Alpine Linux
who on Alpine
ALSA Config
Android Hacking
Android Load apkx File
Audio Stream Fu
Audio Recording (simple)
AWK
BASH quick ref
Benchmark with fio
BlackBerry as a Modem
BlackBerry Video Encoding
Building libcurl on Windows with VS
Building QEMU Images for Alpine Linux
for use with libvirt and terraform
Building TI MSP430 GCC
Certificate and Key Handling
Chart Drawing
Currency Converter
Custom Bootable Alpine Linux
Custom Alpine Kernel
Colourspace Conversion
Compile FMS from Source
Courier IMAP Server
Datasheets and Manuals
Deduplication of Files
Deleting Old Devices
Delphi 7 Dynamic Linking
Delphi Compiler Warnings
Desktop Capture with FFMPEG
X11
Desktop Capture in Sway
Dovecot IMAP
Dovecot Replication
Docker HowTo (Simple Setup)
Remove Untagged Docker Images
Docker Xvfb Alpine Howto
Docker Storage
DomainKey Identified Mail with Exim
DRBD Over OpenVPN
Eclipse and Jetty
Eclipse Themes
Edge Detection
Electronics
Emailing
ESP8266 Get Started
ESP8266 OpenSDK
Exchange 2010 and Lighttpd
Exim Process and Forward Incoming Mail
Exim with Dovecot
FFmpeg Webcam and v4l2 stuff
flickr image from file name
Force Video Output
KMS/FB and Weston
Fonts
Freenet Routing Fu
Flushing Filesystem Buffers
GDB in Windows
Gentoo eudev and udev
Gentoo omxplayer
Gentoo on Raspberry Pi
Gentoo initramfs
Gentoo Java Problems
Gentoo Stage4
Gentoo Update (portage)
Gentoo VirtualBox Install
git Quick Reference
git Workflow
GNUplot Curve Fitting
GNUplot Heart
GNUplotting
Quick Reference
GnuPG Simple
Hen*Plus
ImageMagick
Quick Reference
InspIRCd on Gentoo
Install Gentoo with Hyper-V
iproute2
iptables
iptables bwmon
IPv6 in IPv6 Tunnels STUB
IPv6 Setups STUB
ircclient
irssi
Java Anti-aliasing
Jetty JSP 9.2/9.3 Error
Jetty JSP 9.4 Error
LDAP Searching
and binding on Linux
Logging in Java
LVM Mount on Gentoo
LVM Howto Rev 2
Video File Montage Creation
MPlayer play section of file
Install macOS X on Mac Pro
Maven for Java Development
MPlayer v4l Snapshots
mpv Quick Reference
MSP430 I2C
msys2 Home Modification
mtu Sizes
Multi Homed Hosts and ARP
Multiple RDP Sessions
nginx and cgit
Oneliners
Oukitel C8 Hacking
GNU Parted Simple tutorial
PinePhone Modem
PinePhone Sleeping
Piping for msmtp

PixivUtil2 Install
powersave.sh
qemu PCI Passthrough
qemu USB Passthrough
Quick VMs with QEMU
Reset Password in Windows
Routing Traffic in Windows
rpcontinued.xpi for Pale Moon
Screen Sharing with Sway
sed and grep
sfdisk howto
Shell and File Descriptors
Spring Security Upgrade from 3 to 4
Strong Host Model for Linux
SQLite3 Compile DLL with VS2010
SSL and Lighttpd
std::string to std::wstring and back
Sway IPC with swaymsg
Terminal Codes and socat
Traffic Control (tc)
In-depth with background and quirky routing and networking configuration
Traffic Control Again
Simpler method using ifb
UEFI Booting from Shell
Update Own Number with AT Commands
Videos, Interesting
VirtualBox to QEMU
Quick start guide
Visual Studio Reminders
whatsmeow on Alpine in Docker
Word and VBA Header Protection
wpa_cli
X11 TrackMan Marble
X11 Programming

multihomed hosts and arp

Multi-Homed Hosts and ARP

Why does Linux answer to ARP on incorrect interfaces?

Consider the following host configuration:

       Joshua                      Fredrick
+---------------------+     +--------------------+
| eth0: NOT ASSIGNED  |     |                    |
| br0: 192.168.0.31   +-----+ eth0: 192.168.0.21 |
| tap25: 192.168.80.2 +---+ | eth0: 192.168.1.21 |
| tap29: 192.168.81.2 |   | +--------------------+
+---------------------+   |
                          |
                          |
                          |
      Riker               |
+---------------------+   |
| eth0: 192.168.80.25 +---+
+---------------------+

All these hosts are normal Linux hosts and have the following settings:

/proc/sys/net/ipv4/conf/eth0/rp_filter - 1
/proc/sys/net/ipv4/ip_forward          - 0

Who can talk to who?

It is not surprising that Riker cannot communicate with Fredrick on any IP address, for that to work Joshua would have to forward packets to Fredrick.

What may be surprising is that Fredrick can connect to Joshua on any of the configured interface addresses (assuming routing would allow it) the same is true for Riker: Riker may connect to Joshua using any of the addresses assigned to interfaces on Joshua.

The reason for this is that the Linux IP stack uses what is referred to as the Weak Host model. Explained by "The Cable Guy" on Microsoft TechNet (see References).

With the weak host model it does not matter on which interface a packet is received as long as the packet is destined for an address that is assigned on the receiving host it will be accepted and processed by the stack in the normal way.

Implications for Security

There is a certain class of attack that can be instigated by sending a packet to a local address when connected physically to an external interface.

In the example above a service intended only for Riker (or on Riker's subnet 192.168.80.0/24) could be bound to an address within that subnet on the assumption that since Fredrick is not on that subnet Fredrick will not be able to access the service bound on 192.168.80.2. This assumption is incorrect for the weak host model as it is indeed possible to connect to a service running on 192.168.80.2 from 192.168.0.21 without forwarding pakets.

ARP

Since the above outlined behaviour is a feature and not a bug then ARP also provides the support required. When Riker requests that someone reply with the MAC address for 192.168.0.31 Joshua will respond with the MAC address of the tap25 interface allowing IP communication to begin. Of course this would not be a required step for SLIP or PPP.

ARP Tweaking

As the SO post (see References) details there are some settings that can be customised to stop this first step. It is important to note that it will not prevent the IP stack from processing incoming data but it will force the client to know the MAC address of the server (easy) and also the IP address on which the service is bound (which is also probably easy).

The filenames in /proc/sys/net/ipv4/conf/?/ are:

arp_announce
arp_ignore

Further details in sysctl variables and the SO post.

Final Note on `rp_filter`

Read the detail of what rp_filter does carefully. Sending a packet with a source address on an interface that is not the optimal route will fail the filter check if the flag is set in all OR interface:

The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.

See sysctl variables in References.

See also a problem for Multi-Homed hosts in References and RFC 3704.

2024-09-26

Configure Stronger Host Model using `systemd`

Configuring the strong host model (or something like it) with systemd involves creating different routing tables for each interface. This is not specific to systemd and so can be configured with a shell script...

`systemd` Configuration

For these hosts the example will include a DHCP configured interface and two statically configured interfaces:

eth0   - DHCP
eth1   - VLAN Interface
vlan8  - 10.8.0.1/16
vlan16 - 10.16.0.1/16

# /usr/lib/systemd/network/21-eth0.network
[Match]
Name=eth0
[Network]
DHCP=yes
[DHCPv4]
RouteTable=200
[DHCP]
UseMTU=yes
RouteMetric=10
ClientIdentifier=mac

# /usr/lib/systemd/network/22-eth1.network
[Match]
Name=eth1

[Network]
DHCP=no
VLAN=vlan8
VLAN=vlan16

# /usr/lib/systemd/network/23-vlan8.network
[Match]
Name=vlan8
[Network]
DHCP=no
[Address]
Address=10.8.0.1/16
AddPrefixRoute=false
[Route]
Destination=10.8.0.1/16
Scope=link
Table=8
[RoutingPolicyRule]
From=10.8.0.0/16
To=10.8.0.0/16
IncomingInterface=vlan8
Table=8
[RoutingPolicyRule]
From=10.8.0.0/16
To=10.8.0.0/16
Table=8

# /usr/lib/systemd/network/24-vlan16.network
[]

Shell Script Configuration

Creating a VLAN device on eth1:

ip link add link eth1 name vlan8 type vlan id 8

Adding an address to an interface without creating an entry in the main routing table:

ip addr add 10.8.0.0/16 dev vlan8 noprefixroute

To be continued...

2024-10-14

References

Quick Links: Techie Stuff | General | Personal | Quick Reference