From owner-freebsd-stable Mon Sep 24 10:24: 9 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by hub.freebsd.org (Postfix) with ESMTP id 45EA837B434 for ; Mon, 24 Sep 2001 10:23:57 -0700 (PDT) Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (8.10.1/8.10.1) with ESMTP id f8OHNfR15166; Mon, 24 Sep 2001 10:23:41 -0700 (PDT) Message-Id: <200109241723.f8OHNfR15166@ptavv.es.net> To: Lamont Granquist Cc: Joe Abley , Juha Saarinen , "'Andrew Reilly'" , freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued In-reply-to: Your message of "Mon, 24 Sep 2001 09:43:42 PDT." <20010924094048.X5906-100000@coredump.scriptkiddie.org> Date: Mon, 24 Sep 2001 10:23:41 -0700 From: "Kevin Oberman" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Date: Mon, 24 Sep 2001 09:43:42 -0700 (PDT) > From: Lamont Granquist > Sender: owner-freebsd-stable@FreeBSD.ORG > > > > On Mon, 24 Sep 2001, Joe Abley wrote: > > On Mon, Sep 24, 2001 at 07:16:00PM +1200, Juha Saarinen wrote: > > > :: Those packets are _supposed_ to get back to this host. That's > > > :: what loopback is for. > > > > > > Yes, I think the RFCs make a point of this. > > > > RFC1122 also says, in the same paragraph, "addresses of this form > > MUST NOT appear outside the host." > > This is what we're talking about. Right now if you take a vanilla FBSD > box a 'ping 127.1.1.1' will be routed to the default router. > > > Installing a null covering route for 127/8 with the blackhole bit > > set seems a good way of preventing addresses with a destination > > within 127/8 from being sent out on a non-loopback interface, without > > resorting to nasty hacks which make address handling on the loopback > > interface different to every other interface. It is also consistent > > with the robustness principle. > > > > route add 127.0.0.0 -netmask 255.0.0.0 -iface lo0 -blackhole > > It seems that 127.0.0.1 works when you do this, as do aliases that you add > to the lo0 interface. Works for me. > > > But, whatever. This is hardly a monumental requirement worth bickering > > over. > > Its worth getting right though. Keep the surprises minimal. Absolutely! The RFC1122 text is quite clear that no packet with a destination of 127/8 should EVER appear on any external network connection. I don't see any requirement that all 127/8 addresses act as loopback, but they MUST be kept in the machine. A standard route for 127/8 forcing all packets to the lo0 interface appears to be a good solution to this. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message