On Wednesday, 2001-03-07 at 00:45:22 +0000, Woody wrote:

> A machine which has routing turned off, is not _expected_ to route, so
> it
> is not tested for.
> This is the point of this advisory, which is commonly
> missed.

You mean forwarding, not routing, I suppose?

Forwarding means that a router sends packets received on one interface
out to another interface, hence the term.

It does not mean the reachability of one interface of the router
by packets received on another. That's multi-homing.

As has been repeatedly pointed out to you, allowing this is
desirable in many situations (I'm not talking about 127/8 here,
this interface should not be reachable from the outside).

I have a lot of clients relying on this. They would be thoroughly
confused if their multihomed hosts would use strict multihoming.

As for machines multihomed to different security zones - they
are relatively rare. Requiring *all* hosts to use strict multihoming
just because a few people could overlook a behaviour that could
compromise security in very few situations is overreacting.

I propose you retract your advisory because (as has been pointed out)
it isn't one. Instead, try to get vendors to implement *optional*
strict multihoming if they haven't already.

It saves on rulesets in IP Chains, Tables, Filter, etc. If you really
need it, that is.

Lupe Christoph

--
| lupelupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]