Re: [nsp] unicast RPF for IP/ARP relation?

From: Gert Doering (gert@greenie.muc.de)
Date: Sun Jun 02 2002 - 17:23:13 EDT


Hi,

On Sun, Jun 02, 2002 at 02:20:35PM -0700, kevin graham wrote:
> > It might be possible to isolate the machine into its own /30, though -
> > give it its own vlan, and have the router proxy-arp to simulate its
> > existance on the corresponding "other" vlan. Ugly, but certainly worth
> > a try. Hmmm. As things happen, the machine has the IP address
> > <network>.7 - this is going to be tricky...
>
> You could always just setup a router doing bridging and apply ACL's
> there.. Performance would be undoubtedly miserable, but hopefully that's
> not a big concern for a hacked box..

Indeed performance *is* critical.

Anyway, the original tip got me started:

 - create a new vlan interface
 - IP address 10.1.1.1/24, CEF, unicast reverse path filtering
 - move machine into that vlan (on switch)
 - "ip route <machine's ip> 255.255.255.255 vlan<new> (on router)
 - enable proxy-arp on old and new vlan
 - clear arp

 - wait for arp cache to expire on host itself

-> works like a charm

 - outside machines can ping the box in question
 - machines from "the same LAN" can ping the box in question
   (via proxy-arp)
 - the machine can't spew any more garbage, unicast RPF is catching that

Thanks :-) - this wasn't the answer to my question, but it solved my
problem, which is even better.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:46 EDT