[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ih] Origin of the loopback interface


On Mon, Oct 23, 2017 at 12:56:12PM +0100, Tony Finch wrote:
> John Levine <johnl at iecc.com> wrote:
> >
> > Even on machines that do have physical interfaces, puting a service
> > on a loopback address lets me be sure it's only available to other
> > processes on the same machine without having to screw around with
> > packet filters.
> That's not entirely true. The "weak endpoint model" followed by most
> systems means that they will accept packets to any of their addresses on
> any of their interfaces. This opens you up to attacks from malicious
> devices on your LAN(s).
> Actually, the weak endpoint model is probably less pervasive than it used
> to be because some systems have implemented reverse path filtering.

Any URL explaining why it would be an attack to accept packets
for an address you have on another interface ? I can not see that attack

AFAIK, the problem with weak endpoint model is only that other
nodes have problems performing correct RPF filtering for packets originated
from weak endpoint model nodes when the available addressing is not correctly
announced into routing. And with no equivalent to ES-IS, this requires
endpoints to have either some IGP or some form of LISP running
(LISP the concept, not the solution by the same name).

On Mon, Oct 23, 2017 at 07:26:28AM -0700, Joe Touch wrote:
> Loopback should not be a substitute for IPC. At least one additional reason is that packets sent there might not end up where you think (they could be tunneled elsewhere, e.g..).
> Joe

Architecturally, there should be no reason for another addressing domain ("IPC")
if IP had a working definition of "node-local addressing". AFAIK, the loopback
addresses are meant to do this, but the RFCs IMHO do not call this out very
clearly. In multicast at least there is a node-local scope (FF01). Can't quite
remember (and to lazy to test now), if in TTL=0 worked to delivery traffic
only node-local at some point.

[ Btw: I could also tunnel any non-IP form of IPC if i have access to the OS. ]