restrict implicit binding to interfaces - Networking

This is a discussion on restrict implicit binding to interfaces - Networking ; On Oct 30, 10:57*am, Rick Jones wrote: > > Traffic to any IP assigned to the machine will, and must, be accepted > > regardless of what interface it arrives on. > In the weak end system model, yes. *In ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 28 of 28

Thread: restrict implicit binding to interfaces

  1. Re: restrict implicit binding to interfaces

    On Oct 30, 10:57*am, Rick Jones wrote:

    > > Traffic to any IP assigned to the machine will, and must, be accepted
    > > regardless of what interface it arrives on.


    > In the weak end system model, yes. *In the strong end system model
    > that does not apply. *Some systems (eg HP-UX, perhaps Solaris) allow
    > the system to be put into (some variation on the theme of) the strong
    > end system model.


    Why would a machine reject a packet:

    1) Destined for a non-local address assigned to that machine;

    2) That was routed to it by the network; and

    3) That is not prohibited by any firewall rule?

    Just to break things for the sheer hell of it?

    DS

  2. Re: restrict implicit binding to interfaces

    David Schwartz wrote:
    > On Oct 30, 10:57?am, Rick Jones wrote:
    > > In the weak end system model, yes. ?In the strong end system model
    > > that does not apply. ?Some systems (eg HP-UX, perhaps Solaris)
    > > allow the system to be put into (some variation on the theme of)
    > > the strong end system model.


    > Why would a machine reject a packet:


    > 1) Destined for a non-local address assigned to that machine;
    > 2) That was routed to it by the network; and
    > 3) That is not prohibited by any firewall rule?
    > Just to break things for the sheer hell of it?


    Routing behaviour. End System behavour. Two distinct behaviour sets
    which may happen simultaneously in the same sheetmetal. Need to think
    of them separately from one another.

    As for why the strong end system model exists this may be as good a
    starting point as any: http://tools.ietf.org/html/rfc1122

    rick jones
    --
    portable adj, code that compiles under more than one compiler
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  3. Re: restrict implicit binding to interfaces

    On Oct 30, 11:20*am, Rick Jones wrote:

    > Routing behaviour. *End System behavour. *Two distinct behaviour sets
    > which may happen simultaneously in the same sheetmetal. *Need to think
    > of them separately from one another.


    I agree. A router cannot assume that a packet it received is probably
    for it. But an end system can.

    > As for why the strong end system model exists this may be as good a
    > starting point as any:http://tools.ietf.org/html/rfc1122


    Yes, it says:
    "Be liberal in what you accept, and
    conservative in what you send"
    That is, don't throw away a packet when there is only one possible
    thing it could mean.

    Its only defense is:

    With respect to (A), proponents of the Strong ES
    model note that automatic Internet routing
    mechanisms could not route a datagram to a
    physical interface that did not correspond to
    the
    destination address.

    This is in direct defiance to the robustness principle. Ignore
    something because it can't happen, even when it most definitely *can*
    and *does* happen, as this thread proves.

    DS

  4. Re: restrict implicit binding to interfaces

    One example of where a strong end system model might be useful would
    be a DMZ system. You might not want a server bound to the "internal
    IP" to receive traffic routed via the external interface. So, if the
    strong end system model is active, it will only accept datagrams
    destined to the internal IP on the "internal" interface.

    There are of course other ways to arrive at the same end condition -
    configure the server application to only accept connections from a
    configured range of intenal IP addresses, or setup firewall rules to
    drop datagrams arriving on the external interface with the internal IP
    as the destination - of course that last one is simply using the
    firewall rules to make the system behave as if it were using the
    strong end system model

    rick jones
    --
    oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  5. Re: restrict implicit binding to interfaces

    On Oct 31, 10:39*am, Rick Jones wrote:

    > One example of where a strong end system model might be useful would
    > be a DMZ system. *You might not want a server bound to the "internal
    > IP" to receive traffic routed via the external interface. *So, if the
    > strong end system model is active, it will only accept datagrams
    > destined to the internal IP on the "internal" interface.


    Right, but then you'd be trusting the service to bind to the right
    place. If you could trust the service to manage its own security, why
    wouldn't you want it bound to the external interface?

    > There are of course other ways to arrive at the same end condition -
    > configure the server application to only accept connections from a
    > configured range of intenal IP addresses, or setup firewall rules to
    > drop datagrams arriving on the external interface with the internal IP
    > as the destination - of course that last one is simply using the
    > firewall rules to make the system behave as if it were using the
    > strong end system model


    Since a firewall is both necessary and sufficient, what does the
    strong end system model add?

    DS

  6. Re: restrict implicit binding to interfaces

    David Schwartz wrote:
    > On Oct 31, 10:39?am, Rick Jones wrote:
    > > One example of where a strong end system model might be useful would
    > > be a DMZ system. ?You might not want a server bound to the "internal
    > > IP" to receive traffic routed via the external interface. ?So, if the
    > > strong end system model is active, it will only accept datagrams
    > > destined to the internal IP on the "internal" interface.


    > Right, but then you'd be trusting the service to bind to the right
    > place. If you could trust the service to manage its own security,
    > why wouldn't you want it bound to the external interface?


    Simplicity. If I have a strong end system model all I have to do is
    tell the applcation on which IPs it should listen and I'm done. I
    don't have to teach it anything further about the topology of my
    internal networks.

    > > There are of course other ways to arrive at the same end condition -
    > > configure the server application to only accept connections from a
    > > configured range of intenal IP addresses, or setup firewall rules to
    > > drop datagrams arriving on the external interface with the internal IP
    > > as the destination - of course that last one is simply using the
    > > firewall rules to make the system behave as if it were using the
    > > strong end system model


    > Since a firewall is both necessary and sufficient, what does the
    > strong end system model add?


    Firewalls may be sufficient, but IMO they are only necessary because
    we either don't, won't or can't trust application/OS security.

    rick jones
    --
    The computing industry isn't as much a game of "Follow The Leader" as
    it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
    - Rick Jones
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  7. Re: restrict implicit binding to interfaces

    On Oct 31, 2:06*pm, Rick Jones wrote:

    > > Right, but then you'd be trusting the service to bind to the right
    > > place. If you could trust the service to manage its own security,
    > > why wouldn't you want it bound to the external interface?


    > Simplicity. *If I have a strong end system model all I have to do is
    > tell the applcation on which IPs it should listen and I'm done. *I
    > don't have to teach it anything further about the topology of my
    > internal networks.


    But that's because you've already taught it everything about the
    topology of your internal networks, and you're relying upon that
    knowledge for your security.

    > > > There are of course other ways to arrive at the same end condition -
    > > > configure the server application to only accept connections from a
    > > > configured range of intenal IP addresses, or setup firewall rules to
    > > > drop datagrams arriving on the external interface with the internal IP
    > > > as the destination - of course that last one is simply using the
    > > > firewall rules to make the system behave as if it were using the
    > > > strong end system model


    > > Since a firewall is both necessary and sufficient, what does the
    > > strong end system model add?


    > Firewalls may be sufficient, but IMO they are only necessary because
    > we either don't, won't or can't trust application/OS security.


    We don't trust "accidental security". We only trust engineered
    security. So it comes down to whether a strong end system model can be
    considered secured by design or just secured by accident.

    Frankly, it makes no sense whatsoever to me. It forces you into a
    bizarre all-or-nothing decision that relies on the network topology to
    provide the security. Worse, it forever prevents the device for
    performing any routing functions, which is very limiting because even
    traditional end systems often wind up having to do some kinds of
    routing functions.

    DS

  8. Re: restrict implicit binding to interfaces

    David Schwartz wrote:
    > We don't trust "accidental security". We only trust engineered
    > security. So it comes down to whether a strong end system model can
    > be considered secured by design or just secured by accident.


    > Frankly, it makes no sense whatsoever to me. It forces you into a
    > bizarre all-or-nothing decision that relies on the network topology to
    > provide the security.


    A firewall isn't part of the network topology?

    rick jones
    --
    denial, anger, bargaining, depression, acceptance, rebirth...
    where do you want to be today?
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2