Re: Loopback and multi-homed routing flaw in TCP/IP stack.

[Ben Laurie <ben () ALGROUP CO UK>]

John Cronin wrote:
> > > The Issue:
> > >
> > > There is a flaw in the TCP/IP stack, such that packets intended for
> > > loopback and/or local network interfaces, routed via any other
> > > interface, will be delivered EVEN IF THE MACHINE IS CONFIGURED NOT TO
> > > BE A GATEWAY (note that in the case of packets destined for the
> > > loopback interface, we consider this to be a fault no matter how the
> > > host is configured - see RFC 1122 comments below).
>
> What about a virtual IP bound to the loopback interface, or a dummy
> interface?  This is precisely what many load balancing and high
> availability failover clusters do, as previously mentioned.

A virtual IP bound to the loopback interface is not in 127/8 and so
would not be filtered.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

ApacheCon 2001! http://ApacheCon.com/