tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122

On 5 Jun 2008, at 16:51 , Jim Wise wrote:
On Thu, 5 Jun 2008, Dennis Ferguson wrote:

Well, the default behavior is arguably right for a router (the more
common IPF use case.  In any case, the error should be a rare one --
sssuming proper config of border routers, any broadcast packet you see reaching a host will have originated on the local subnet (or close), so
such a response should be rare and local.

I'm not clear on how this behaviour could be argued to be any more correct
for a router than a host.  Here's what RFC 1812 says:

It's clear that a router should be rejecting a broadcast packet which
would transit that router in almost all cases.

Broadcast-addressed packets should never transit a router which is working
properly by default, firewall or not.

That's not the bit which bothers me, though.  Routers and hosts should
generally never send an error packet in response to a packet which arrives
as a link level broadcast or multicast no matter what the IP destination
address in the packet is (there are lots of ways for packets to arrive
as link-level broadcasts with addresses which can't be identified as
"broadcast" addresses), since doing so can break things. While configuring
the router to do that anyway is fine with me, it should be at least as
easy to configure the router to do the right thing.

If the network behind the router is otherwise firewalled, the router
should return the same error as it would for any other address on that
network -- otherwise, the router's lack of a response would confirm the existence of the otherwise-firewalled network (a non-configured network
having no broadcast address).

That's a different issue, if I understand it.  Subnet-specific broadcast
addresses are only broadcast addresses on the subnet with that address.
If they arrive on another interface you can do anything you would normally
do with any packet addressed to the same subnet, firewall or not, except
that by default the router shouldn't forward the packet onto the subnet
where it would be broadcast.

That is a different issue than the handling of packets which arrive as
link-level broadcasts, however, no matter what address is in the packet.
These should normally be silently eaten.

Dennis Ferguson

Home | Main Index | Thread Index | Old Index