Use Localhost address to avoid traffic on ethernet? - TCP-IP

This is a discussion on Use Localhost address to avoid traffic on ethernet? - TCP-IP ; Hi, I want my application to avoid sending data within my local intranet if the server and client app are on the same host. Is it guaranteed that no packets will leave the local machine if I use the localhost ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Use Localhost address to avoid traffic on ethernet?

  1. Use Localhost address to avoid traffic on ethernet?

    Hi,

    I want my application to avoid sending data within my local intranet
    if the server and client app are on the same host.
    Is it guaranteed that no packets will leave the local machine if I use
    the localhost address as destination?
    Or is it OS specific?

    Thanks!

  2. Re: Use Localhost address to avoid traffic on ethernet?

    In article ,
    PsiX wrote:

    >I want my application to avoid sending data within my local intranet
    >if the server and client app are on the same host.
    >Is it guaranteed that no packets will leave the local machine if I use
    >the localhost address as destination?
    >Or is it OS specific?


    Never ask for guarantees when it comes to networking. Remember that
    packet sniffers generally work within the stack rather than at the
    NIC level. And remember that no matter how many MUST NOTs a
    networking RFC uses in one sentence, any given implementation might
    choose otherwise, whether due to bug or design decision.

  3. Re: Use Localhost address to avoid traffic on ethernet?

    On Aug 21, 4:13*pm, rober...@hushmail.com (Walter Roberson) wrote:
    > In article ,
    >
    > PsiX * wrote:
    > >I want my application to avoid sending data within my local intranet
    > >if the server and client app are on the same host.
    > >Is it guaranteed that no packets will leave the local machine if I use
    > >the localhost address as destination?
    > >Or is it OS specific?

    >
    > Never ask for guarantees when it comes to networking. Remember that
    > packet sniffers generally work within the stack rather than at the
    > NIC level. And remember that no matter how many MUST NOTs a
    > networking RFC uses in one sentence, any given implementation might
    > choose otherwise, whether due to bug or design decision.


    So I can't really make sure in general that no packets leave my PC?

    Is it at least the OS's choice or the network driver's?

  4. Re: Use Localhost address to avoid traffic on ethernet?

    In article <8850aa68-38ab-480a-aec6-604f1ca489fa@j22g2000hsf.googlegroups.com>,
    PsiX wrote:
    >On Aug 21, 4:13*pm, rober...@hushmail.com (Walter Roberson) wrote:


    >> >I want my application to avoid sending data within my local intranet
    >> >if the server and client app are on the same host.
    >> >Is it guaranteed that no packets will leave the local machine if I use
    >> >the localhost address as destination?
    >> >Or is it OS specific?

    >>
    >> Never ask for guarantees when it comes to networking. Remember that
    >> packet sniffers generally work within the stack rather than at the
    >> NIC level. And remember that no matter how many MUST NOTs a
    >> networking RFC uses in one sentence, any given implementation might
    >> choose otherwise, whether due to bug or design decision.

    >
    >So I can't really make sure in general that no packets leave my PC?


    In general, no packets addressed to 127.0.0.1 will ever be put on the
    wire. Firewall rules against packets on non-loopback interfaces to or
    from 127/8 are common. Most network interface drivers for BSD style
    TCP/IP implementations will not put any packet with an IP address
    assigned to a working, local interface on the wire. However, "make
    sure" suggests some sort of impossible guarantee.


    >Is it at least the OS's choice or the network driver's?


    As Walter Roberson wrote, there are no guarantees. That applies to
    more than network stuff. Bugs and surprising design choices happen.
    The BSD style of not putting IP packets with local addresses on the
    wire has been controversial for decades, and I think some people (perhaps
    for some HP system?) have made other choices. Hordes have complained
    over the decades that `ping myhost` does not test any hardware.

    A better path would be to directly address the real problem; packets
    leaked onto wires cannot by themselves be a problem. If the real problem
    involves security, then the only prudent solutions involve disconnecting
    the sensitive network from the rest of the universe...unless you've
    drunk TSIG or other brands of security kernel, mandatory access control
    (MAC), capabilities, etc. koolaid. In the real world, things (including
    bad local configurations) happen and the only seriously secure firewalls
    are "air gaps" with faraday cages and guards who watch for removable
    media as required.

    If the worry is about performance or physical network load, then the
    best tactic is to watch for problems and apply the "Am I first?" test.
    You would not be the first person with an application with vast amounts
    of intra-host traffic that would clobber real networks if it got onto
    them. If applications that clients that talked a lot to servers within
    the same host generally bogged down connected wires, someone would have
    noticed decades ago and done something.


    Vernon Schryver vjs@rhyolite.com

  5. Re: Use Localhost address to avoid traffic on ethernet?

    On Aug 21, 5:28*pm, v...@calcite.rhyolite.com (Vernon Schryver) wrote:
    > In article <8850aa68-38ab-480a-aec6-604f1ca48...@j22g2000hsf.googlegroups..com>,
    >
    > PsiX * wrote:
    > >On Aug 21, 4:13*pm, rober...@hushmail.com (Walter Roberson) wrote:
    > >> >I want my application to avoid sending data within my local intranet
    > >> >if the server and client app are on the same host.
    > >> >Is it guaranteed that no packets will leave the local machine if I use
    > >> >the localhost address as destination?
    > >> >Or is it OS specific?

    >
    > >> Never ask for guarantees when it comes to networking. Remember that
    > >> packet sniffers generally work within the stack rather than at the
    > >> NIC level. And remember that no matter how many MUST NOTs a
    > >> networking RFC uses in one sentence, any given implementation might
    > >> choose otherwise, whether due to bug or design decision.

    >
    > >So I can't really make sure in general that no packets leave my PC?

    >
    > In general, no packets addressed to 127.0.0.1 will ever be put on the
    > wire. *Firewall rules against packets on non-loopback interfaces to or
    > from 127/8 are common. *Most network interface drivers for BSD style
    > TCP/IP implementations will not put any packet with an IP address
    > assigned to a working, local interface on the wire. *However, "make
    > sure" suggests some sort of impossible guarantee.
    >
    > >Is it at least the OS's choice or the network driver's?

    >
    > As Walter Roberson wrote, there are no guarantees. *That applies to
    > more than network stuff. *Bugs and surprising design choices happen.
    > The BSD style of not putting IP packets with local addresses on the
    > wire has been controversial for decades, and I think some people (perhaps
    > for some HP system?) have made other choices. *Hordes have complained
    > over the decades that `ping myhost` does not test any hardware.
    >
    > A better path would be to directly address the real problem; packets
    > leaked onto wires cannot by themselves be a problem. *If the real problem
    > involves security, then the only prudent solutions involve disconnecting
    > the sensitive network from the rest of the universe...unless you've
    > drunk TSIG or other brands of security kernel, mandatory access control
    > (MAC), capabilities, etc. koolaid. *In the real world, things (including
    > bad local configurations) happen and the only seriously secure firewalls
    > are "air gaps" with faraday cages and guards who watch for removable
    > media as required.
    >
    > If the worry is about performance or physical network load, then the
    > best tactic is to watch for problems and apply the "Am I first?" test.
    > You would not be the first person with an application with vast amounts
    > of intra-host traffic that would clobber real networks if it got onto
    > them. *If applications that clients that talked a lot to servers within
    > the same host generally bogged down connected wires, someone would have
    > noticed decades ago and done something.
    >
    > Vernon Schryver * *v...@rhyolite.com


    Thanks alot!

    I can only verify so much, so I had to ask for the general case.

    We worry about performance . We already advise our customers to
    dedicate a seperate network for the specific load heavy use case of
    our application, but as the computing power of PCs still rises it is
    possible to run both our application and the consumer on one host - my
    initial question sprung up.

    Thanks again.

  6. Re: Use Localhost address to avoid traffic on ethernet?

    > We worry about performance . We already advise our customers to
    > dedicate a seperate network for the specific load heavy use case of
    > our application, but as the computing power of PCs still rises it is
    > possible to run both our application and the consumer on one host -
    > my initial question sprung up.


    If you are concerned about performance, when both your application and
    the consumer are on the same host you might arrange to use a local IPC
    mechanism rather than a networking one that happens to be going over
    loopback. In the case of Unix/Linux if you still want a sockets
    interface you could use Unix domain, aka AF_UNIX sockets. Those tend
    to run faster for the local case than AF_INET and you have further
    assurances the traffic will not go out any network interface.

    rick jones
    --
    Wisdom Teeth are impacted, people are affected by the effects of events.
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  7. Re: Use Localhost address to avoid traffic on ethernet?

    On Thu, 21 Aug 2008 05:36:26 -0700, PsiX wrote:

    > Hi,
    >
    > I want my application to avoid sending data within my local intranet if
    > the server and client app are on the same host. Is it guaranteed that no
    > packets will leave the local machine if I use the localhost address as
    > destination? Or is it OS specific?


    As others said, no guarantees. And as Rick said, look into local IPC,
    it's normally much faster.

    That said, I would be extremely surprised if anything addressed to
    127.0.0.1 would hit the actual hardware.

    1) Performance. Anything to get an edge over a competitor, not hitting
    the hardware for 127.0.0.1 is an easy win (or actually, a stupid loss if
    you do hit the hardware, no one does that).

    2) It doesn't make sense. If I have two ethernet adaptors, which one will
    get the packet?

    It's something completely else if you use the address assigned to an
    actual NIC for the communication. In that case you have less of a
    guarantee, but most OSses don't actually hit the hardware. Same reason,
    performance.

    You can try to add a host route for the local NIC IP to the loopback
    device. Some OSses actually do this standard. I doubt it will make a
    difference.

    In practice? I wouldn't worry about it. I would benchmark specific OSses
    and give guarantees on those specific OSses. And look into local IPC.

    HTH,
    M4

  8. Re: Use Localhost address to avoid traffic on ethernet?

    PsiX wrote:
    > I want my application to avoid sending data within my local intranet
    > if the server and client app are on the same host.
    > Is it guaranteed that no packets will leave the local machine if I use
    > the localhost address as destination?
    > Or is it OS specific?


    IF your host machine has an IPv6 stack AND that stack is conformant to the
    RFCs AND your applications can communicate using IPv6, THEN you are
    supposed to be guaranteed that traffic to the loopback address "::1" will
    not be sent outside that machine.

    Here's what RFC 4291 says:

    "2.5.3. The Loopback Address
    [...]
    An IPv6 packet with a destination address of loopback must never be sent
    outside of a single node and must never be forwarded by an IPv6 router.
    [...]"

    IPv4 never had such requirements that I can find. But I do know that the
    Linux IPv4 stack does not appear to transmit loopback packets onto the
    wire. Indeed, I have multihomed hosts where I have been unable to get Linux
    to push packets out any of the interfaces (even when I want to see them
    "loop back" out on the wire) if it sees the destination IP bound to one of
    the interfaces. This even after trying to fake the kernel out using static
    routes, arp table manipulations, and such. There may be a way, but I gave
    up trying to find it.

    Oh yeah - I also know that the Linux IPv6 stack violates some of the
    address strictures of RFC 4291. At least it did a year or two ago. I
    haven't checked lately. For example, an IPv6 stack is supposed to discard
    any datagram that comes in on an interface that is addressed to the
    loopback address. Well it didn't - it happily said "hey, right MAC address,
    that address exists as a valid destination address on this machine, so sure
    - come on in!"

  9. Re: Use Localhost address to avoid traffic on ethernet?

    Martijn Lievaart wrote:

    > That said, I would be extremely surprised if anything addressed to
    > 127.0.0.1 would hit the actual hardware.


    Welllll - I may have misinterpreted the email string, but over in the
    linux netdev mailing list, there was a discussion recently about
    issues where netfilter was either migrating loopback traffic to a
    remote IP or the other way around.

    Still 99 times out of 10 traffic destined for 127.0.0.1 isn't going to
    leave the system.

    > 1) Performance. Anything to get an edge over a competitor, not hitting
    > the hardware for 127.0.0.1 is an easy win (or actually, a stupid loss if
    > you do hit the hardware, no one does that).


    I can think of some stacks that not only don't hit the hardware for a
    local IP, they don't even hit the NIC driver for a local IP.

    rick jones
    --
    The glass is neither half-empty nor half-full. The glass has a leak.
    The real question is "Can it be patched?"
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  10. Re: Use Localhost address to avoid traffic on ethernet?

    Hello,

    Rick Jones a écrit :
    > Martijn Lievaart wrote:
    >
    >>That said, I would be extremely surprised if anything addressed to
    >>127.0.0.1 would hit the actual hardware.

    >
    > Welllll - I may have misinterpreted the email string, but over in the
    > linux netdev mailing list, there was a discussion recently about
    > issues where netfilter was either migrating loopback traffic to a
    > remote IP or the other way around.


    Was it about the use of the DNAT iptables target to translate the
    loopback destination address into a remote address and vice versa ?
    Indeed two problems may arise when doing this :
    - if you use DNAT in the PREROUTING chain on incoming packets to
    translate the remote destination address into the loopback address, then
    the input routing stage will see a packet with a destination address set
    to the loopback adress arriving on a non loopback interface and will
    discard it ;
    - if you use DNAT in the OUTPUT chain on outgoing packets to translate
    the loopback destination address into a remote adress, then the output
    routing stage will see a packet with a source address by default set to
    the loopback adresse leaving on a non loopback interface and will
    discard it before it has a chance to be source-NATed later. Older
    kernels used to translate the source address so it worked, recent
    kernels don't do this any more.

    >>1) Performance. Anything to get an edge over a competitor, not hitting
    >>the hardware for 127.0.0.1 is an easy win (or actually, a stupid loss if
    >>you do hit the hardware, no one does that).


    Not only performance. The destination is the sending host, and there is
    no guarantee that the hardware (NIC, switch...) will transmit the packet
    back to the sending host.

    > I can think of some stacks that not only don't hit the hardware for a
    > local IP, they don't even hit the NIC driver for a local IP.


    Of course they don't. Why would they ? Why should the NIC driver take
    care of traffic that does not go through the NIC ?

  11. Re: Use Localhost address to avoid traffic on ethernet?

    Jim Logajan a écrit :
    >
    > Here's what RFC 4291 says:
    >
    > "2.5.3. The Loopback Address
    > [...]
    > An IPv6 packet with a destination address of loopback must never be sent
    > outside of a single node and must never be forwarded by an IPv6 router.
    > [...]"
    >
    > IPv4 never had such requirements that I can find.


    What about RFC 1122, 1812, 3330 ?

    > Indeed, I have multihomed hosts where I have been unable to get Linux
    > to push packets out any of the interfaces (even when I want to see them
    > "loop back" out on the wire) if it sees the destination IP bound to one of
    > the interfaces.


    Indeed. The kernel has a local host route for any local address.

    > This even after trying to fake the kernel out using static
    > routes, arp table manipulations, and such.


    All this is useless. The local routes are in a special routing table
    named 'local' that has precedence over anything else, including the main
    routing table (which is manipulated by the "route" command) and advanced
    routing rules.

  12. Re: Use Localhost address to avoid traffic on ethernet?

    In article ,
    Pascal Hambourg wrote:

    >> I can think of some stacks that not only don't hit the hardware for a
    >> local IP, they don't even hit the NIC driver for a local IP.

    >
    >Of course they don't. Why would they ? Why should the NIC driver take
    >care of traffic that does not go through the NIC ?


    People with experience with serious communications systems expect at
    least one mode of loopback tests to cover as much of the hardware as
    physically possible. For example, they expect a loopback test on an
    802.3 interface to at least exercise enough of the hardware to detect
    a disconnected cable (e.g. lack of heartbeat on twisted pairs or no
    carrier on yellow hose). So they complain when `ping myhost` is
    short-circuited by the driver or routing and never gets close to the
    hardware. If hosts did not have applications that sent a lot of bits
    to each other using those same loopback paths, those complaints might
    be valid.


    Vernon Schryver vjs@rhyolite.com

  13. Re: Use Localhost address to avoid traffic on ethernet?

    In article ,
    Pascal Hambourg wrote:

    >All this is useless. The local routes are in a special routing table
    >named 'local' that has precedence over anything else, including the main
    >routing table (which is manipulated by the "route" command) and advanced
    >routing rules.


    That might be true on some systems, but it is false for all of the
    systems that I know about.

    I suppose some system might have more than one routing table, but that
    sounds like a recipe for worse performance to me. All packets would
    have to be checked in that local table lest they turn out to be local,
    but almost of those local checks would fail. It sounds better to do a
    single check in a single table that would yield either "no route known"
    or "transmit using this interface," and have a purely software
    "loopback interface" that does the obvious.

    That is what classic BSD style TCP/IP code does. It has a single
    forwarding or kernel routing table. The BSD `route` command uses
    systems calls (or in very ancient system pokes at kernel memory)
    to manipulate that single routing table. The same systems calls
    are used by routing programs such as `routed`. The code in a typical
    BSD style network inteface driver uses the same hooks, but of course
    without the user/kernel interface, to add or delete a route through
    the loopback driver when the network interface is turned on or off.
    That happens with the IFF_UP and/or IFF_RUNNING bits in the interface
    structure are changed.

    The special precedence of loopback paths on output is achieved by making
    them host routes, or routes with a /32 or /128 netmask and that just
    happen to use the loopback driver or interface. Input might be said
    to differ somewhat, because of the use of the interface-with-*()
    functions. Of course, those functions are actually called ifa_ifwithaddr(),
    ifa_ifwithbroadaddr(), etc.


    Vernon Schryver vjs@rhyolite.com

  14. Re: Use Localhost address to avoid traffic on ethernet?

    Pascal Hambourg wrote:
    > Was it about the use of the DNAT iptables target to translate the
    > loopback destination address into a remote address and vice versa ?


    Yes, I believe it was.

    > > I can think of some stacks that not only don't hit the hardware
    > > for a local IP, they don't even hit the NIC driver for a local IP.


    > Of course they don't. Why would they ? Why should the NIC driver
    > take care of traffic that does not go through the NIC ?


    Who knows what goes through the minds of stack writers?-)

    In the case of HP-UX, one might want it to go to the driver to have it
    go past the promiscuous mode hooks for tcpdump tracing. HP-UX's lo0
    "device" does not have support for bpf-esque stuff, only nettl hooks.

    The default though is to loopback above the driver.

    rick jones
    --
    a wide gulf separates "what if" from "if only"
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  15. Re: Use Localhost address to avoid traffic on ethernet?

    Pascal Hambourg wrote:
    > Jim Logajan a écrit :
    >>
    >> Here's what RFC 4291 says:
    >>
    >> "2.5.3. The Loopback Address
    >> [...]
    >> An IPv6 packet with a destination address of loopback must never be
    >> sent outside of a single node and must never be forwarded by an IPv6
    >> router. [...]"
    >>
    >> IPv4 never had such requirements that I can find.

    >
    > What about RFC 1122, 1812, 3330 ?


    Doh! You are correct. Somehow I missed it in RFC 1122 and 1812. I have a
    lame excuse: lately I've been tasked with developing a set of IPv6 tests so
    I made the mistake of only spot reading the IPv4 related RFCs, thinking
    they were only marginally relevant to my goal.

  16. Re: Use Localhost address to avoid traffic on ethernet?

    Vernon Schryver a écrit :
    > Pascal Hambourg wrote:
    >
    >>>I can think of some stacks that not only don't hit the hardware for a
    >>>local IP, they don't even hit the NIC driver for a local IP.

    >>
    >>Of course they don't. Why would they ? Why should the NIC driver take
    >>care of traffic that does not go through the NIC ?

    >
    > People with experience with serious communications systems expect at
    > least one mode of loopback tests to cover as much of the hardware as
    > physically possible. For example, they expect a loopback test on an
    > 802.3 interface to at least exercise enough of the hardware to detect
    > a disconnected cable (e.g. lack of heartbeat on twisted pairs or no
    > carrier on yellow hose).


    I agree. But IMO such test should be done at the link layer level or
    below, not at the IP level.

    > So they complain when `ping myhost` is
    > short-circuited by the driver or routing and never gets close to the
    > hardware.


    They use the wrong tool. IP is not intended to check hardware.

  17. Re: Use Localhost address to avoid traffic on ethernet?

    Vernon Schryver a écrit :
    > Pascal Hambourg wrote:
    >
    >>All this is useless. The local routes are in a special routing table
    >>named 'local' that has precedence over anything else, including the main
    >>routing table (which is manipulated by the "route" command) and advanced
    >>routing rules.

    >
    > That might be true on some systems, but it is false for all of the
    > systems that I know about.


    The paragraph I replied to was only about Linux, and so was my reply.
    Other systems may of course vary.

  18. Re: Use Localhost address to avoid traffic on ethernet?

    In article ,
    Pascal Hambourg wrote:

    >I agree. But IMO such test should be done at the link layer level or
    >below, not at the IP level.
    >
    >> So they complain when `ping myhost` is
    >> short-circuited by the driver or routing and never gets close to the
    >> hardware.

    >
    >They use the wrong tool. IP is not intended to check hardware.


    On the contrary, neither link layer nor any other communications
    protocol or layer is "intended to check hardware." More important,
    the distinction between "IP" and "hardware" is meaningless given
    parts of systems that look like "hardware" to other parts of the
    system but do significant Internet Protocol work. Since the earliest
    days of TCP/IP, there have been boards that did some or all TCP,
    UDP, ICMP, and IP functions. It is entirely wrong to insist that
    only the link layer do loopback tests on ancient products like the
    Interlan and Excelan boards or more recent NICs with various flavors
    of "protocol offload," because a link layer loopback test would miss
    large parts of the normal data path.

    Any test is less useful as it differs from real work. A purely link
    layer loopback test might not notice a data dependent hardware problem
    that happens in real work. If your link layer hardware is only sensitive
    to the bits that you always see starting an IP packet, a link layer
    loopback test might insist that everything is wonderful in a system
    that doesn't work at all. Such considerations are why packet snooping
    hooks should be as far away from the center of the system as possible.
    If you have a rare packet corruption problem caused by obscure NUMA
    cache interactions, you'll never find it if you insist on keeping IP
    out of the diagnosing--or so my personal real life experience attests.

    If the link layer is able to do a loopback or other (e.g. error
    injection) test, then why not let the upper layers participate?


    Vernon Schryver vjs@rhyolite.com

  19. Re: Use Localhost address to avoid traffic on ethernet?

    On Aug 21, 5:36*am, PsiX wrote:

    > I want my application to avoid sending data within my local intranet
    > if the server and client app are on the same host.


    How could it? What would send the packets back?

    > Is it guaranteed that no packets will leave the local machine if I use
    > the localhost address as destination?
    > Or is it OS specific?


    If they left the machine, how would they get back to it?

    DS

+ Reply to Thread