> I would conclude that there are just to many "bad" things that could
> happen if interfaces respond to ARP requests for IP's they are not
> configured for. Because of the advent of switches (both layer 2 and
> layer 3) I believe the only "correct" behaviour would be for ONLY the
> interface that was configured for a particular IP address to respond to
> ARPs for the IP address. May be this is not addressed in any current
> RFCs, but I can't think of a reason this "standard" should not be
> implemented in Linux.
I am completely agree with this opinion, and I'd like to add one point.
Let's consider the situation we have two interfaces configured for
two different networks at the same host. Next, let this host has to
operate as two different web-servers (rather typical situation), and the fact,
that this is really one physical host, must be hidden by
security reasons. I have two different ISPs and two different routes for
these two interfaces, and IP forwarding off. The configuration seems
secure... But if first interface will reply to ARP for interface 2 IP,
then, clearly, security will be completely broken.
More generally, the concept when IP address is assotiated with HOST, not
whith interface, contradicts with basic UNIX concept to have
HOST IP address 127.0.0.1, and others IP - the interface addresses.
As a result, it leads to numerous difficulties in complex routing/
firewalling/accounting situations.
_________________________________________________________________________
Evgeny Rodichev Sternberg Astronomical Institute
System/Net Admin Moscow State University
email: er@sai.msu.su
Phone: 007 (095) 939 2383
Fax: 007 (095) 932 8841 http://www.sai.msu.su/~er
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/