tech-net: Re: making our tcp/ip a strong-end system

Subject: Re: making our tcp/ip a strong-end system
To: Alan Barrett <apb@iafrica.com>
From: Ronald Khoo <ronald@chersonese.com>
List: tech-net
Date: 11/12/1998 21:52:45
> But you can turn it around to "when we are about to accept a packet to a
> `strong' IP address, check that the actual input interface was the one
> and only acceptable interface for this IP address".

That inverts the security model, which would make it equivalent
for a completely strongended system, but not for semi-strongended systems.

Actually, thinking about it, your suggestion fits the case
that Paul Goyette mentioned, since it allows for access to
a particular address from anywhere -- just mark that address `weak'.

It doesn't solve the case where one has one red and two
amber interfaces, where boxes on the red ethernet are allowed to
talk to all IP addresses, but boxes on the amber ethernets are
only allowed to their 'nearest' IP address.  (Think of the
network management station sat on the red ethernet monitoring
all three services that the box serves...)

If one were to mark interfaces as `strong' then the amber ones would
be `strong', and the red one `weak'.  There is no equivalent
configuration where addresses rather than interfaces are marked `strong'

Hm..  Maybe a totally general solution needs strong addresses
as well as strong interfaces.  (Or ipf :-)

> That way, there are
> no long lists to traverse, but you might have to remember the packet's
> input interface for a bit longer that would otherwise be necessary.

The input interface is in the mbuf packet header anyway, and the code
at the point at which the decision is made in ipintr() needs the
input interface for other reasons.

The code change to support your suggestion is fairly trivial.
Instead of a global variable, you simply put the `strong' flag in
the struct in_ifaddr.  It would have to be set with a socket ioctl
from ifconfig rather than sysctl.

The modified INADDR_TO_IA would refuse based upon ia->ia_strongended
rather than ip_strongendsystem, but I think the rest of the code
would be identical to the patch that Luke posted.

One must of course be careful to ensure that if a `strong'
address is applied to more than one interface, then all
of them must individually be set to `strong'.

One might have the global sysctl anyway which would force
the flag on everytime SIOCAIFADDR is called, say.

Okay, looks like your suggestion is

	a) easy and inexpensive to implement
	b) solves Paul Goyette's problem

but doesn't solve my hypothetical situation.  I guess I'd better
go learn how to use ipf :-)


--