[ipv6hackers] Strong Host Model
Mark ZZZ Smith
markzzzsmith at yahoo.com.au
Wed Jul 31 14:22:07 CEST 2013
----- Original Message -----
> From: Guillermo Lafuente Tejero <guiye1984 at hotmail.com>
> To: "ipv6hackers at lists.si6networks.com" <ipv6hackers at lists.si6networks.com>
> Cc:
> Sent: Wednesday, 31 July 2013 9:11 PM
> Subject: Re: [ipv6hackers] Strong Host Model
>
>> I haven't used it, but apparently it is now implemented in the Linux
> firewall - the rpfilter match:
>
>
>> https://bugzilla.kernel.org/show_bug.cgi?id=6998
>
> Thanks Mark, that could help.
>
>
>> I've always wondered about this: In what way does the strong host model
>
>
>> improve security? Are you just concerned about information leakage
>
>> (ability to discover the host's non-local IP addresses), or is there
>
>> something else?
>
>
> Hi Paul
>
> For my tests I had the following:
>
> ----------------
> -eth1 ----------> Ping response
> HOST -
> -eth0 <--------- Ping request
> ----------------
>
> Eth0: manual IPv6 config (no default router)
> Eth1: SLAAC
>
> Sending a ping to eth0 directed to eth1 would cause the packet to travel from
> the network configured in eth0 to the net in eth1 . The outbound packet in eth1
> was using eth1's MAC address but eth0's IPv6 address.
>
Firstly, where both eth0 and eth1 attached to the same link? If so, this may be a consequence of your manual IPv6 configuration on eth0. IPv6 hosts aren't supposed to use an address's prefix length to determine on-link or off-link destinations. Instead, they are supposed to use the on-link flag (L bit) in the PIO received in RAs (see RFC5942). (You still need to supply RAs with PIOs with on-link flags even if you use static IPv6 addressing. If you don't want them to consider the router that is the source of the RAs to be a default router, the router lifetime is set to zero.) (What is the advantage of this? You can have a host use SLAAC to select an address within a /64, but have it send all traffic to any destination other than itself to the default router (for possible security inspection), by issuing RAs with a PIO prefix with the A bit on (for address autoconfiguration), but the L bit off, so the host doesn't consider any other address within the /64
to be on-link.)
So in your scenario, the RAs received on eth1 (the SLAAC interface), would probably have a PIO option with the /64 prefix flagged as on-link. So when the host chooses an outbound interface for the packet, it uses the only one it knows the destination exists on - eth1. As eth0 hasn't received any RAs with PIOs specifying that the /64 is on-link, eth0 isn't considered a candidate egress interface for the ping response.
> What it is happening is that the host receives the ping in eth0, and when
> creating the response, checks the routing table and says: oh! I have to reply to
> someone and default gw is in eth1, here you go!
>
> This could be an environment in which you have systems which should not be
> reachable from the Internet in eth0 and Internet connectivity in eth1 (or
> viceversa). You may want to completely separate both networks for a good reason,
> and with the weak host model you would be able to jump from one to another.
>
> Thanks,
> Regards,
> Guillermo
>
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>
More information about the Ipv6hackers
mailing list