Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sat, 2 Mar 2002 17:47:04 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sat, 2 Mar 2002 17:46:54 -0500 Received: from ja.mac.ssi.bg ([212.95.166.194]:16649 "EHLO u.domain.uli") by vger.kernel.org with ESMTP id ; Sat, 2 Mar 2002 17:46:44 -0500 Date: Sun, 3 Mar 2002 00:46:12 +0000 (GMT) From: Julian Anastasov X-X-Sender: ja@u.domain.uli To: Alan Cox cc: erich@uruk.org, Szekeres Bela , Daniel Gryniewicz , linux-kernel Subject: Re: Network Security hole (was -> Re: arp bug ) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Sat, 2 Mar 2002, Alan Cox wrote: > > behavior causes some problems for setups with rp_filter protection > > and interfaces attached to same hub. If you want to find the reason > > for this, here it is: > > rp_filter is an add on - not exactly default standards behaviour. If you > want to make the case that rp_filter = 2 means apply a both way rule then > I've personally no problem with that argument The rp_filter value of 2 is not support from Linux and after reading the "5.3.8 Source Address Validation" paragraph from rfc1812 it seems rp_filter 1 covers it. What exactly do you mean by value of 2? Note that the remote box does not want to spoof, it was directed from BOX1 to a wrong MAC where the traffic is spoofed, the remote hosts are not guilty. They connect to the MAC we provide by broadcasts. To Erich, rfc1812, 5.3.8 Source Address Validation: If this feature is implemented, it MUST be disabled by default Regards -- Julian Anastasov - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/