From owner-freebsd-hackers  Thu Sep 19 14:21:21 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 30F7937B401; Thu, 19 Sep 2002 14:21:20 -0700 (PDT)
Received: from overlord.e-gerbil.net (e-gerbil.net [64.186.142.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 99E8C43E77; Thu, 19 Sep 2002 14:21:19 -0700 (PDT)
	(envelope-from ras@e-gerbil.net)
Received: by overlord.e-gerbil.net (Postfix, from userid 1000)
	id 0A45415E47; Thu, 19 Sep 2002 17:21:19 -0400 (EDT)
Date: Thu, 19 Sep 2002 17:21:18 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: Adrian Penisoara <ady@freebsd.ady.ro>, freebsd-net@FreeBSD.ORG,
	freebsd-hackers@FreeBSD.ORG
Subject: Re: Desired feature: ipfw pass for routed IPs
Message-ID: <20020919212118.GU1123@overlord.e-gerbil.net>
References: <Pine.BSF.4.10.10209191054220.82837-100000@ady.warpnet.ro> <20020919181401.GA18752@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020919181401.GA18752@blossom.cjclark.org>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Thu, Sep 19, 2002 at 11:14:01AM -0700, Crist J. Clark wrote:

> On input packets, it'd be painful and not really practical. On output
> packets, it shouldn't be _too_ bad since the routing information would
> be available.
>
> I'm not quite sure I understand why it would be needed. If there isn't
> a route to send a packet out of an interface, it won't go out of the
> interface. Under what conditions would you see yourself blocking
> packets? Is this really an ackbassward way to filter routes from
> routing daemons?

Sounds like he wants an implementation of unicast reverse path forwarding
(uRPF) loose-mode to prevent source address spoofing of non-announced
space. uRPF is simple, you do a 2nd routing lookup on the src address to 
check for a valid return route, either a) with a nexthop to the interface 
on which the packet was received, for filtering customers, or b) with a 
nexthop to any interface, for inbound on network borders.

Strict-mode is only useful for devices which route, but loose-mode could 
potentially be used to reduce the impact of random source DoS attacks 
(sounds like something linux would do :P). Unfortunately, the performance 
impact of doing radix tree lookups for a full routing table to filter this 
way would probably be worse than not filtering at all. While any device 
which calls itself a modern router SHOULD have this functionality, I think 
there are more important things to fix first. :)

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message