[c-nsp] Strict multihoming supported on a Cisco?

Marcel Lammerse lammerse at xs4all.nl
Wed Jul 28 18:51:41 EDT 2004 

Hi Steve,

it's a security thing. This outside ip address could be connected to 
the Internet. If the routing/security policy states that no traffic 
should be allowed between the internal segment and an outside segment 
other than via a firewall, it raises questions when people are able to 
get a response from an outside interface when they are on the inside.

I'm not sure what exactly the security implications are. Personally, I 
don't see how this behavior could be exploited. But it scares customers 
and I was wondering whether strict multihoming was an option to change 
this behavior.

Even though the requirements specified in the rfc differ between hosts 
and routers, I do think a router could (should?) implement this 
behavior. Packets addressed to the router itself should be handled 
differently than transit packets with regard to forwarding. I don't see 
any reason why a host would need to connect to a different physical ip 
address on a router (loopback ips are an exception), other than the one 
on the directly connected interface.

Marcel

On Jul 28, 2004, at 11:56 PM, Stephen J. Wilcox wrote:

> Hi Marcel,
>  this looks normal behaviour to me, what are you trying to stop it 
> from doing?
>
> Steve
>
> On Wed, 28 Jul 2004, Marcel Lammerse wrote:
>
>> an incoming ip packet, addressed to a Cisco router, will be forwarded
>> to the destination address even if that address is not the ip address
>> of the directly connected interface:
>>
>> spectrum2#sh ip int brief
>> Interface              IP-Address      OK? Method Status Protocol
>> Ethernet0              192.168.2.1     YES NVRAM  up
>> up
>> Serial0                unassigned      YES NVRAM  up
>> up
>> Serial0.1              172.16.1.1      YES NVRAM  up
>> up
>> Serial0.100            212.189.28.2    YES NVRAM  up
>> up
>> Serial1                unassigned      YES NVRAM  administratively 
>> down
>> down
>> spectrum2#
>>
>> Testmachine has an ip of 192.168.2.2 and has its default gateway
>> pointing to 192.168.2.1
>>
>> [test at testmachine]$ ping 212.189.28.2
>> PING 212.189.28.2 (212.189.28.2) from 192.168.2.2 : 56(84) bytes of
>> data.
>> 64 bytes from 212.189.28.2: icmp_seq=1 ttl=255 time=6.20 ms
>> 64 bytes from 212.189.28.2: icmp_seq=2 ttl=255 time=2.08 ms
>> 64 bytes from 212.189.28.2: icmp_seq=3 ttl=255 time=2.09 ms
>>
>> I've heard some security concerns about this. Is there a way of
>> enforcing what is known as the Strong End-System Model (RFC1122) or
>> strict multihoming behavior on a Cisco router? Or would that break
>> routing functionality (and thus would explain why I haven't seen it
>> anywhere in the manuals)?
>>
>>  From the rfc:
>>
>> There are two key requirement issues related to multihoming:
>>
>>              (A)  A host MAY silently discard an incoming datagram 
>> whose
>>                   destination address does not correspond to the 
>> physical
>>                   interface through which it is received.
>>
>>              (B)  A host MAY restrict itself to sending (non-source-
>>                   routed) IP datagrams only through the physical
>>                   interface that corresponds to the IP source address 
>> of
>>                   the datagrams.
>>
>>
>>              DISCUSSION:
>>                   Internet host implementors have used two different
>>                   conceptual models for multihoming, briefly 
>> summarized
>>                   in the following discussion.  This document takes no
>>                   stand on which model is preferred; each seems to 
>> have a
>>                   place.  This ambivalence is reflected in the issues 
>> (A)
>>                   and (B) being optional.
>>
>>                   o    Strong ES Model
>>
>>                        The Strong ES (End System, i.e., host) model
>>                        emphasizes the host/gateway (ES/IS) 
>> distinction,
>>                        and would therefore substitute MUST for MAY in
>>                        issues (A) and (B) above.  It tends to model a
>>                        multihomed host as a set of logical hosts 
>> within
>>                        the same physical host.
>>
>> 			 o    Weak ES Model
>>
>>                        This view de-emphasizes the ES/IS distinction, 
>> and
>>                        would therefore substitute MUST NOT for MAY in
>>                        issues (A) and (B).  This model may be the more
>>                        natural one for hosts that wiretap gateway 
>> routing
>>                        protocols, and is necessary for hosts that have
>>                        embedded gateway functionality.
>>
>> Regards,
>>
>> Marcel
>>
>
>

More information about the cisco-nsp mailing list