[Summary] multihomed host and anti-spoofing filters

From: Tobias Oetiker <oetiker_at_ee.ethz.ch>
Date: Tue Jan 11 2005 - 17:12:51 EST
My Question:

> We have a multi-homed Solaris box serving as a boot-server in
> several subnets. The machine does not route.
>
> Our Networking People now want to introduce anti-spoofing filters
> on each of the subnets routers/switches.
>
> This raises an interesting problem.
>
> When a client host opens a connection to the multi-homed servers
> main interface (which is not in the local subnet) the answer will
> be sent through the servers interface connected to the clients
> subnet.
>
> This does not play well with the anti-spoofing filters (or so our
> network people tell us)
>
> Is there any way to tell a Solaris box to always answer on the
> same interface as it received the packet in the first place ?

Thanks to Philipp Buehler, Michael Horton, Matthew Stier, Darren
Dunham, Crist Clark for providing their insights.

This is what I have learned:

a) At the networking level, there is no association between any
   "incoming" and "reply" packets.  That could only be done at the
   application layer (it's not generally done).  The interface from
   which a packet leaves is determined by its destination alone.

b) Use ipfilter's NAT rules to do some source routing.  If a packet
   has a particular (solaris) source address, force it to leave via
   a particular interface.

   http://www.sunmanagers.org/pipermail/summaries/2002-May/001645.html

c) One solution is to prevent the packets from going to the wrong
   interface in the first place by makeing sure that the hosts file
   has the 'main name' for the multihomed-box on all its addresses,
   and have all the clients refer to the host via its 'main name'.
   Machines will then automatically use the closest interface and
   thus forego any problems.

   192.168.1.1   host0   host
   192.168.2.1   host1   host
   192.168.3.1   host2   host
   192.168.4.1   host3   host

d) disable anti-spoofing on the switch ports of that machine ;-)

cheers
tobi

-- 
 ______    __   _
/_  __/_  / /  (_) Oetiker @ ISG.EE, ETL F24.2, ETH, CH-8092 Zurich
 / // _ \/ _ \/ /  System Manager, Time Lord, Coder, Designer, Coach
/_/ \.__/_.__/_/   http://people.ee.ethz.ch/oetiker +41(0)44-632-5286
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Jan 11 17:13:21 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:41 EST