08.12.2019 16:42, Alexandr Nedvedicky wrote:
Hello,
commit from today [1] makes IP stack more paranoid. Up to now OpenBSD
implemented so called 'weak host model' [2]. The today's commit alters
that for hosts, which don't forward packets (don't act as routers).
Your laptops, desktops and servers now check packet destination address
with IP address bound to interface, where such packet is received on.
If there will be mismatch the packet will be discarded and 'wrongif'
counter will be bumped. You can use 'netstat -s|grep wrongif' to
display the counter value.
It is understood the behavior, which has been settled in IP stack since 80's,
got changed. tech@openbsd.org (or b...@openbsd.org) wants to hear back from you,
if this change breaks your existing set up. There is a common believe this
change won't hurt majority (> 97%) users, though there is some non-zero risk,
hence this announcement is being sent.
Thanks for the announcement, it indeed looks like a useful hardening.
However, I am worried about one particular class of systems that forward
packets. Namely, systems that run virtual machines. This fix does not
apply to them, although in most cases it should.
There might be also other classes of routers which don't do anything
asymmetric and therefore would also want protection from packets
received on the wrong interface.
So maybe a separate announcement should be sent, with recommendations
how to protect such systems.
--
Alexander E. Patrakov
