Hello all,
thank you very much for your insights. Indeed I did not intend to start
discussions whether the OpenBSD default makes sense or not.
Actually I'd agree that using the Weak Model is beneficial since it
wouldn't break routing functionality. My question was mainly about what
the default is, but this question was answered now.
@Theo: I agree, there's probably only a tiny subset of people actually
setting check_interfaces to 1.
During some further research I found that only Windows versions from
Vista and newer are following the Strong Model in a strict way. However
this makes sense, since I can't think of any Routers running Windows.
Again, thank you call.
Cheers,
Bastian
Am 18.10.19 um 08:56 schrieb Claudio Jeker:
> On Thu, Oct 17, 2019 at 09:50:28PM +0200, Bastian Kanbach wrote:
>> Hello,
>>
>> recently I was performing some checks that relate to the "Strong Host
>> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving
>> different than I expected. I always assumed that the network stack of
>> OpenBSD was following the "Strong Host Model", but I might be wrong with
>> that:
> OpenBSD does follow the "Weak Host Model". Has always been like that.
>
>> Basically the Strong Host Model means that the network stack "accepts
>> locally destined packets if the destination IP address in the packet
>> matches an IP address assigned to the network interface on which the
>> packet was received."
>>
>> FreeBSD and NetBSD have a sysctl property for this, called
>> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model).
>> However for OpenBSD I haven't seen such a property at all.
>>
>>
>> Basically my setup consisted of the following virtual machines and
>> network interfaces (IP-Forwarding disabled):
>>
>>
>> VM 1 (OpenBSD 6.5):
>>
>> em0: 192.168.100.1/24 ("Internal Network")
>>
>> em1: 10.0.0.97/24 ("NAT")
>>
>>
>> VM 2 (Ubuntu Server 18.10):
>>
>> ens33: 192.168.100.2/24 ("Internal Network")
>>
>>
>> ----
>>
>>
>> As expected, ens33 of VM2 can communicate with em0 of VM1, since both
>> interfaces are associated with the same Virtualbox network, and both IP
>> addresses are part of the same /24 subnet.
>>
>> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP
>> addresses are part of different subnets and no routes were configured.
>>
>>
>> Then I performed 2 tests:
>>
>>
>> Test 1:
>>
>> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The
>> packet was NOT answered by VM1.
>>
> This is a Layer 2 ARP test. Since 10.0.0.97 is not on that interface arp
> will not answer. The host model only matters for Layer 3.
>
>> Test 2:
>>
>> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1.
>> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from
>> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source
>> MAC address of interface em0).
>>
>>
>> While the behaviour of Test 1 indicates that the Strong Host Model is
>> followed, Test 2 shows the behaviour of a "Weak Host Model".
>
> No, Test 1 is not the right test for the host model.
>
>> What of both is actually supposed to be the default for OpenBSD? Is
>> there any kernel parameter to control these behaviours, like
>> net.inet.ip.check_interface for FreeBSD or NetBSD?
> We don't have a button and just follow the "Weak Host Model".
> You can enforce a strong model per interface with pf(4):
>
> block in on !em0 inet to (em0)
>
> or
>
> block in
> pass in on em0 to (em0)
> pass in on em1 to (em1)
>
