Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: None <tls@rek.tjls.com>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 10/11/2006 16:04:55
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:
Thor> I think that if we provided sane primitives for discovering
Thor> the set of valid destination addresses for a host, and binding
Thor> a socket so that it would receive packets on _some addresses_
Thor> (not one, and not all) it would be easy to add the kind of
Thor> access control you seem to want (and which a lot of other
Thor> people would probably like as well) to our applications.
Thor> In this case, we would add it to mountd, rpcbind, and the
Thor> in-kernel NFS server. It would be a nice example of the
Thor> interface, actually.
I agree strongly.
In IPv6 land, I'd actually suggest some set of magic IP addresses that
map to "groups" in the kernel. We trivially have enough space to
allocate some link local addresses (or maybe we could convincely argue
that "site local" IPv6 addresses are host-local concepts).
In IPv4, the only way would be hacks like 127.0.0.2.
The group would map to a set of addresses which would set by the
administrator via sysctl or something. Canonically, the set could be
initialized to the first IP of the first interface configured.
Should be be all others? Maybe. that means that if mountd binds to
127.0.0.2, and we add all the interfaces configured (including
127.0.0.1), then mountd winds up listening on 0.0.0.0/0.
(NOTE: we need to make sure that all UDP applications use the
IP_PKTINFO(linux) / HAVE_IP_RECVDSTADDR (bsd) rather than open a whole
slew of sockets)
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRS1OZICLcPvd0N1lAQJ/rgf+OidNhrXfHf20B2FTiUTeuqfuHyHCRmcK
HOuAOen0zsxvhKKOD6FrkGacCIzt9XzwCy8nE30x10dYKInyeOU8eufPxzIVG67N
WSKo3KNu2VHtyx2mnjpyGkrtzuVwIF3KKVc1hXHg46uDdepCLjtBt96umHjutS/3
wy/q/BP+nZnFubaDscGEX0ugSTFEtIQk1q7wiTym1eED9jNgugosh2xlZqpalvuH
eY5PEUYJhgthzsfzbVo+oHv6x91VUtzcBJGn0AhtjRQIdsM4nhsn6eRTh54YMc5d
T8iTXstmW0wOQxJdp2pCcjatYCbm4X8+ARwuhVcTNXbQGAjhHMC/Fg==
=IqMk
-----END PGP SIGNATURE-----