IPFW2 versrcreach update

From: James (haesu_at_towardex.com)
Date: 07/20/04

  • Next message: Gleb Smirnoff: "Re: IPFW2 versrcreach update" 
    Date: Mon, 19 Jul 2004 22:12:38 -0400
To: Andre Oppermann <andre@freebsd.org>

    Andre, et al:

    Previously, in "My planned work on networking stack" thread, Andre made a patch
    which allows loose-check uRPF verification using ipfw2. The command syntax is
    versrcreach as opposed to verrevpath. The versrcreach simply checks if the
    source address has a route other than default. In other words, pass the packet
    if the source address is reachable via any interface available where there is a
    route for. This is useful in multihomed BGP environment (mostly for service
    providers using FreeBSD as routing platform). The message in which Andre posted
    patch is below this email, quoted.</preamble>

    Anyhow, getting straight to business:
     The uRPF loose-check implementation by the industry vendors, at least on Cisco
    and possibly Juniper, will fail the check if the route of the source address
    is pointed to Null0 (on Juniper, discard or reject route). What this means is,
    even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
    uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
    as a pseudo-packet-firewall without using any manual filtering configuration --
    one can simply inject a IGP or BGP prefix with next-hop set to a static route
    that directs to null/discard facility. This results in uRPF Loose-check failing
    on all packets with source addresses that are within the range of the nullroute.

    Under verify_path() in ip_fw2.c patch Andre provided, I'd like to propose
    possibly including the following line of change I'm thinking about in my head
    right now.

            /* if no ifp provided, check if rtentry is not default route */
            if (ifp == NULL &&
                 satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) {
                    RTFREE(ro.ro_rt);
                    return 0;
            }

    + /* by this point a route is found. check if this is pointed
    + * to blackhole/reject */
    + if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE) ) {
    + RTFREE(ro.ro_rt);
    + return 0;
    + }

    Haven't tested this yet, but will do tomorrow after I finish some other stuff
    I need done before rebooting w/ a test kernel.
    Anyway the idea is to fail the check if the route has RTF_REJECT or
    RTF_BLACKHOLE flag, under loose-check (ifp set to NULL) operation, which is
    an easy straight forward change.

    Thanks,
    -J 

    -- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
> 
> Here you go:
> 
>  http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff
> 
> This one implements the standard functionality, the definition of an
> interface through which it has to be reachable is not (yet) supported.
> 
> Using this option only makes sense when you don't have a default route
> which naturally always matches.  So this is useful for machines acting
> as routers with a default-free view of the entire Internet as common
> when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd).
> 
> One useful way of enabling it globally on a router looks like this:
> 
>  ipfw add xxxx deny ip from any to any not versrcreach
> 
> or for an individual interface only:
> 
>  ipfw add xxxx deny ip from any to any not versrcreach recv fxp0
> 
> I'd like to get some feedback (and a man page draft) before I commit it
> to -CURRENT.
> 
> -- 
> Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Gleb Smirnoff: "Re: IPFW2 versrcreach update"