tech-net: Re: if

Subject: Re: if_null
To: Andrew Brown <atatat@atatdot.net>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-net
Date: 04/08/2004 07:39:06
In message <20040408001831.A27366@noc.untraceable.net>, Andrew Brown writes:
>On Wed, Apr 07, 2004 at 03:43:12PM -0400, Steve Bellovin wrote:
>>I've implemented if_null, the network equivalent of /dev/null.  It has
>>several purposes:  remote-triggered routing black holes (see
>>http://www.nanog.org/mtg-0402/pdf/morrow.pdf ); and
>>an easier way to monitor all traffic to some dummy destination.
>>tcpdump on the input interface works, of course, but bpf has
>>to filter a lot of "uninteresting" data.  With if_null, you can
>>route such traffic to a null interface, and pick up everything with
>>tcpdump.
>>
>>The difference between if_null and RTF_BLACKHOLE is that the discard 
>>notion is tied to the interface, rather than to the route.  Taking out 
>>the indirection is what allows remote-triggered black holes to work.
>>It also provides for byte and packet counters for the discarded packets.
>>
>>if_null is a clone device:
>>
>>        ifconfig null0 create
>>        ifconfig null0 192.168.42.42
>>
>>and was derived from if_gre.c.  I *think* I deleted all of the
>>no-longer-necessary code.
>
>i did this once, but i called it "nul" instead of "null".  i was
>probably thinking that i liked cisco's name or something.  fwiw, i
>copied if_loop.c instead, and ripped the bottom off it.  i've still
>got it around here somewhere...

I used if_gre.c because I wanted it to be a clone interface -- not to 
make it easy to create more, but to make it easy to have fewer of them.
>
>>You can pick up a copy at http://www.machshav.com/~smb/if_null .
>>I compiled and tested it on 2.0beta; it will probably work on -current 
>>without change.  I have no idea what would happen on 1.6.2.
>
>indeed, i had trouble making mine do "the right thing" with ipv6.
>does yours do do?  for some reason, i was always able to ping whatever
>v6 address i assigned to the interface, leading me to believe that v6
>was something i needed to know yet more about when i had more time...
>
Hmm, I'm seeing the same behavior.  The problem is, I think, at a 
higher level -- the host IP address/128 is routed to lo0 when you 
assign the v6 address.  I'll have to poke around to see where that's 
happening, and what, if anything, can be done in the driver.

		--Steve Bellovin, http://www.research.att.com/~smb