Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Lars Mathiesen <syl () ECMWF INT>
Date: Tue, 6 Mar 2001 11:48:37 +0000
On Mar 5, 20:07, Neil W Rickert wrote:
I am surprised to see this described as a flaw. It is behavior I have been relying on for some time. Specifically, on my client machines, I add a route to the alternate interface of my servers via the direct interface of the same server. This allows direct connection to the server without relying on a router, regardless of which IP address is used for the service. For NFS clients, I consider it important to be able to do this.
We use a similar trick to provide failover between internal LANs for our servers: Every functioning interface announces the 'well-known' server address via a routing protocol, and the clients either run gated or rely on a router to pick the best route that they see an announcement for.
If there is a flaw, it is surely in the thinking of people who mistakenly assumed that multi-homed systems would not behave so as to allow this.
I concur totally. Back when I designed security solutions (admittedly high end) for a living, best practice was that any system with a reason to distinguish its interfaces must have the less secure one on a dedicated LAN segment to a real router with antispoofing filters in place. And that includes commercial firewalls. (Of course a firewall should by default discard packets arriving at the wrong interface, but better safe than sorry). The farm of misconfigured NT web servers should be on a different LAN interface on the router, so rooting one won't enable an attacker to install password sniffers or send malformed or misrouted packets to the firewall/ mail gateway/ whatever. -- Lars.Mathiesen () ecmwf int ECMWF, Shinfield Park, Reading, Berks. RG2 9AX England
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. J. Bol (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Message not available
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)