Linux as strong end host

dspfun · External Since: Apr 26, 2007 Posts: 18

Hi!

Among many usages, Linux can be used/configured as an "End
System" (a.k.a. host) or a router.

When using Linux as an ES (End System), Linux can be configured/used
as supporting either the "Strong ES Model" or the "Weak ES Model".
The
default for a Linux ES is the "Weak ES Model".

See http://tools.ietf.org/html/rfc1122 regarding "Strong ES Model"
and
"Weak ES Model".

The question is, what is the easiest/best way to configure/setup
Linux
as an End System supporting the "Strong ES Model"?

Does there exist a "simple configuration flag" for configuring the
Linux host either as weak or strong?

If not do you think it would be a useful/helpful configuration option
to add?

Brs

Jorgen Grahn · External Since: Feb 17, 2009 Posts: 70

On Fri, 2012-04-27, dspfun wrote:
> Hi!
>
> Among many usages, Linux can be used/configured as an "End
> System" (a.k.a. host) or a router.
>
> When using Linux as an ES (End System), Linux can be configured/used
> as supporting either the "Strong ES Model" or the "Weak ES Model".

Says who? I always heard Linux implements the weak model, period.

I haven't heard the term ES before. You're more likely to be
understood if you use the accepted terminology (which is "host",
like you noted.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Richard Kettlewell · External Since: Feb 19, 2005 Posts: 189

Jorgen Grahn writes:
> dspfun wrote:

>> Among many usages, Linux can be used/configured as an "End
>> System" (a.k.a. host) or a router.
>>
>> When using Linux as an ES (End System), Linux can be configured/used
>> as supporting either the "Strong ES Model" or the "Weak ES Model".
>
> Says who? I always heard Linux implements the weak model, period.
>
> I haven't heard the term ES before. You're more likely to be
> understood if you use the accepted terminology (which is "host",
> like you noted.)

The 'end system' terminology is hardly obscure, especially when
discussing the strong and weak models, and dates back at least to the
1980s.

--
http://www.greenend.org.uk/rjk/

Jorgen Grahn · External Since: Feb 17, 2009 Posts: 70

On Fri, 2012-04-27, Richard Kettlewell wrote:
> Jorgen Grahn writes:
>> dspfun wrote:
>
>>> Among many usages, Linux can be used/configured as an "End
>>> System" (a.k.a. host) or a router.
>>>
>>> When using Linux as an ES (End System), Linux can be configured/used
>>> as supporting either the "Strong ES Model" or the "Weak ES Model".
>>
>> Says who? I always heard Linux implements the weak model, period.
>>
>> I haven't heard the term ES before. You're more likely to be
>> understood if you use the accepted terminology (which is "host",
>> like you noted.)
>
> The 'end system' terminology is hardly obscure, especially when
> discussing the strong and weak models, and dates back at least to the
> 1980s.

Perhaps not /obscure/, but certainly less common than "host".

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

unruh · External Since: Nov 14, 2011 Posts: 98

On 2012-04-27, Jorgen Grahn wrote:
> On Fri, 2012-04-27, Richard Kettlewell wrote:
>> Jorgen Grahn writes:
>>> dspfun wrote:
>>
>>>> Among many usages, Linux can be used/configured as an "End
>>>> System" (a.k.a. host) or a router.
>>>>
>>>> When using Linux as an ES (End System), Linux can be configured/used
>>>> as supporting either the "Strong ES Model" or the "Weak ES Model".
>>>
>>> Says who? I always heard Linux implements the weak model, period.
>>>
>>> I haven't heard the term ES before. You're more likely to be
>>> understood if you use the accepted terminology (which is "host",
>>> like you noted.)
>>
>> The 'end system' terminology is hardly obscure, especially when
>> discussing the strong and weak models, and dates back at least to the
>> 1980s.

Instead of getting into an argument as to when the term was first used,
when it is clear people do not know it, define your terms. What in the
world does "Strong ES model" and "weak ES model" mean?

Anyway for others that are confused, here is a definition from
lwn.net/2001/0308/security.php3

Elias Levy posted an excerpt of the portion of the RFC that applies to
this issue. The two implementations it describes are entitled "Strong ES
Model" and "Weak ES Model". Under the Strong ES Model, packets arriving
from one network interface will not be forwarded to other network
interfaces unless forwarding is enabled. Under the Weak ES Model, the
reverse is true, packets will be forwarded even with forwarding
disabled. The Weak ES Model is the one that has some people concerned.

I would agree that the wek model would concern me. But I am not sure how
I would test it.
>
> Perhaps not /obscure/, but certainly less common than "host".
>
> /Jorgen
>

Rick Jones · External Since: Jun 13, 2005 Posts: 205

dspfun wrote:
> Does there exist a "simple configuration flag" for configuring the
> Linux host either as weak or strong?

You mean like the ndd strong_es_model ndd option in HP-UX? (And
Solaris?) I doubt Linux has something like those. I suspect the way
one would go about getting Linux to behave per the strong end system
model would be to tweak the sysctls for ARPs behaviour (arp_ignore,
arp_filter IIRC) and then add per-interface ingress filtering that
accepts only traffic addressed to the address(es) assigned to that
interface.

rick jones
--
firebug n, the idiot who tosses a lit cigarette out his car window
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Richard Kettlewell · External Since: Feb 19, 2005 Posts: 189

unruh writes:
> Jorgen Grahn wrote:
>> Richard Kettlewell wrote:
>>> Jorgen Grahn writes:
>>>> dspfun wrote:

>>>>> Among many usages, Linux can be used/configured as an "End
>>>>> System" (a.k.a. host) or a router.
>>>>>
>>>>> When using Linux as an ES (End System), Linux can be configured/used
>>>>> as supporting either the "Strong ES Model" or the "Weak ES Model".
>>>>
>>>> Says who? I always heard Linux implements the weak model, period.
>>>>
>>>> I haven't heard the term ES before. You're more likely to be
>>>> understood if you use the accepted terminology (which is "host",
>>>> like you noted.)
>>>
>>> The 'end system' terminology is hardly obscure, especially when
>>> discussing the strong and weak models, and dates back at least to the
>>> 1980s.
>
> Instead of getting into an argument as to when the term was first
> used, when it is clear people do not know it, define your terms. What
> in the world does "Strong ES model" and "weak ES model" mean?

The original article included a link containing definitions. If someone
happens to be too lazy to read it, whose fault is that?

> I would agree that the wek model would concern me. But I am not sure
> how I would test it.

You try it and see, basically - you set up a multihomed host and see how
it reacts to packets addressed to one interface turning up on the other.

--
http://www.greenend.org.uk/rjk/

Pascal Hambourg · External Since: Oct 11, 2006 Posts: 245

Hello,

Rick Jones a écrit :
> dspfun wrote:
>> Does there exist a "simple configuration flag" for configuring the
>> Linux host either as weak or strong?
>
> You mean like the ndd strong_es_model ndd option in HP-UX? (And
> Solaris?) I doubt Linux has something like those. I suspect the way
> one would go about getting Linux to behave per the strong end system
> model would be to tweak the sysctls for ARPs behaviour (arp_ignore,
> arp_filter IIRC) and then add per-interface ingress filtering that
> accepts only traffic addressed to the address(es) assigned to that
> interface.

I agree.
It also requires source-based routing for outgoing traffic to make sure
an interface sends only packets with the source address assigned to that
interface.

Pascal Hambourg · External Since: Oct 11, 2006 Posts: 245

unruh a écrit :
>
> Under the Strong ES Model, packets arriving
> from one network interface will not be forwarded to other network
> interfaces unless forwarding is enabled. Under the Weak ES Model, the
> reverse is true, packets will be forwarded even with forwarding
> disabled.

Huh ? "packets will be forwarded even with forwarding disabled"

This makes no sense. Strong vs weak host model has nothing to do with
forwarding. Host model applies to hosts, whereas forwarding applies to
routers.

Rick Jones · External Since: Jun 13, 2005 Posts: 205

Pascal Hambourg wrote:
> unruh a écrit :
> >
> > Under the Strong ES Model, packets arriving from one network
> > interface will not be forwarded to other network interfaces unless
> > forwarding is enabled. Under the Weak ES Model, the reverse is
> > true, packets will be forwarded even with forwarding disabled.

> Huh ? "packets will be forwarded even with forwarding disabled"

> This makes no sense. Strong vs weak host model has nothing to do
> with forwarding. Host model applies to hosts, whereas forwarding
> applies to routers.

At the risk of typing into unruh's keyboard, whenever I was explaining
the ip_strong_es_model ndd setting in HP-UX I would say something like
"Under the Strong ES Model packets destined for the host will be
accepted for further processing only on the interface to which the
corresponding address was assigned. Under the Weak ES Model, packets
destined for the host will be accepted on any interface. Or, put
another way, under the Strong ES model, addresses are a property of
interfaces, under the Weak ES model, they are a property of the host
as a whole."

rick jones
--
Wisdom Teeth are impacted, people are affected by the effects of events.
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones · External Since: Jun 13, 2005 Posts: 205

Pascal Hambourg wrote:
> It also requires source-based routing for outgoing traffic to make
> sure an interface sends only packets with the source address
> assigned to that interface.

True. In HP-UX there is something of a "Firm ES Model" which does the
source-based routing for outbound, but accepts inbound traffic on any
interface.

rick
--
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

unruh · External Since: Nov 14, 2011 Posts: 98

On 2012-04-27, Pascal Hambourg wrote:
> unruh a ?crit :
>>
>> Under the Strong ES Model, packets arriving
>> from one network interface will not be forwarded to other network
>> interfaces unless forwarding is enabled. Under the Weak ES Model, the
>> reverse is true, packets will be forwarded even with forwarding
>> disabled.
>
> Huh ? "packets will be forwarded even with forwarding disabled"
>
> This makes no sense. Strong vs weak host model has nothing to do with
> forwarding. Host model applies to hosts, whereas forwarding applies to
> routers.

Yes, it seems that the terminology is a bit weird (like quantum groups,
which are neither quantum nor are they groups). That was why I posted
the definitions. "If I want egg to mean something tall and fuzzy with
horns on the side, then that is what egg means"
Of course in communicating with others, that attitude can cause some
problems.

David Brown · External Since: Feb 12, 2011 Posts: 16

On 27/04/12 20:33, Richard Kettlewell wrote:
> unruh writes:
>> Jorgen Grahn wrote:
>>> Richard Kettlewell wrote:
>>>> Jorgen Grahn writes:
>>>>> dspfun wrote:
>
>>>>>> Among many usages, Linux can be used/configured as an "End
>>>>>> System" (a.k.a. host) or a router.
>>>>>>
>>>>>> When using Linux as an ES (End System), Linux can be
>>>>>> configured/used as supporting either the "Strong ES Model"
>>>>>> or the "Weak ES Model".
>>>>>
>>>>> Says who? I always heard Linux implements the weak model,
>>>>> period.
>>>>>
>>>>> I haven't heard the term ES before. You're more likely to be
>>>>> understood if you use the accepted terminology (which is
>>>>> "host", like you noted.)
>>>>
>>>> The 'end system' terminology is hardly obscure, especially
>>>> when discussing the strong and weak models, and dates back at
>>>> least to the 1980s.
>>
>> Instead of getting into an argument as to when the term was first
>> used, when it is clear people do not know it, define your terms.
>> What in the world does "Strong ES model" and "weak ES model" mean?
>
> The original article included a link containing definitions. If
> someone happens to be too lazy to read it, whose fault is that?
>

If someone is too lazy to read through a 116 page barely comprehensible
RFC to get the information that could be summarised in one paragraph (as
unruh did), then the fault lies clearly with the OP.

Jorgen Grahn · External Since: Feb 17, 2009 Posts: 70

On Fri, 2012-04-27, unruh wrote:
> On 2012-04-27, Jorgen Grahn wrote:
>> On Fri, 2012-04-27, Richard Kettlewell wrote:
>>> Jorgen Grahn writes:
>>>> dspfun wrote:
>>>
>>>>> Among many usages, Linux can be used/configured as an "End
>>>>> System" (a.k.a. host) or a router.
>>>>>
>>>>> When using Linux as an ES (End System), Linux can be configured/used
>>>>> as supporting either the "Strong ES Model" or the "Weak ES Model".
>>>>
>>>> Says who? I always heard Linux implements the weak model, period.
>>>>
>>>> I haven't heard the term ES before. You're more likely to be
>>>> understood if you use the accepted terminology (which is "host",
>>>> like you noted.)
>>>
>>> The 'end system' terminology is hardly obscure, especially when
>>> discussing the strong and weak models, and dates back at least to the
>>> 1980s.
>
> Instead of getting into an argument as to when the term was first used,
> when it is clear people do not know it, define your terms. What in the
> world does "Strong ES model" and "weak ES model" mean?

I should add here than my problem wasn't with strong/weak (that's an
important and fairly well-known distinction) but with using the term
"end system" or "ES" instead of "host".

More interesting would be a reference for the OP's claim that Linux
can be configured to support either one.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Rick Jones · External Since: Jun 13, 2005 Posts: 205

Jorgen Grahn wrote:
> I should add here than my problem wasn't with strong/weak (that's an
> important and fairly well-known distinction) but with using the term
> "end system" or "ES" instead of "host".

FWIW, I've heard of it as the end system model going back to at least
1997, when HP-UX 11.0 first shipped. The vector being the ndd tunable
ip_strong_es_model.

rick jones
--
It is not a question of half full or empty - the glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

dspfun · External Since: Apr 26, 2007 Posts: 18

On 1 Maj, 00:29, Rick Jones wrote:
> Jorgen Grahn wrote:
> > I should add here than my problem wasn't with strong/weak (that's an
> > important and fairly well-known distinction) but with using the term
> > "end system" or "ES" instead of "host".
>
> FWIW, I've heard of it as the end system model going back to at least
> 1997, when HP-UX 11.0 first shipped. The vector being the ndd tunable
> ip_strong_es_model.
>
> rick jones
> --
> It is not a question of half full or empty - the glass has a leak.
> The real question is "Can it be patched?"
> these opinions are mine, all mine; HP might not want them anyway... Smile

> feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Thanks for all replies.

So, in order to make a Linux host (End System) strong end, all that is
needed is:

1) Configure ARP (arp_filter=1 and arp_ignore=2)

2) Add per-interface source-based routing for outgoing traffic.

3) Add per-interface ingress filtering.

In the above, the interfaces can be a mix of physcial ethernet devices
(created with ifconfig for example) and virtual ethernet devices, VLAN
(created with vconfig for example).

So, for example, if having one physical network interface, and 8 VLANs
configured on this physical interface, using the above three steps
will make the Linux host (End System) strong end?

Brs

dspfun · External Since: Apr 26, 2007 Posts: 18

On 27 Apr, 20:22, Rick Jones wrote:
> dspfun wrote:
> > Does there exist a "simple configuration flag" for configuring the
> > Linux host either as weak or strong?
>
> You mean like the ndd strong_es_model ndd option in HP-UX? (And
> Solaris?) I doubt Linux has something like those.

Do you think it would be useful if someone spent time on adding a
similar option to the Linux kernel?

Brs

dspfun · External Since: Apr 26, 2007 Posts: 18

On 2 Maj, 23:16, Peter Köhlmann wrote:
> dspfun wrote:
> > On 27 Apr, 20:22, Rick Jones wrote:
> >> dspfun wrote:
> >> > Does there exist a "simple configuration flag" for configuring the
> >> > Linux host either as weak or strong?
>
> >> You mean like the ndd strong_es_model ndd option in HP-UX? (And
> >> Solaris?) I doubt Linux has something like those.
>
> > Do you think it would be useful if someone spent time on adding a
> > similar option to the Linux kernel?
>
> Why would you add that to a kernel?
> It is a firewall thing on linux. You could add it with firewall rules

In Linux it (strong end) can be configured by setting up routing,
firewall rules, and arp.
But would it be beneficial (performance, ease of use, etc.) to have
this built in to the Linux networking stack so it can easily be
configured by a "simple flag"?

dspfun · External Since: Apr 26, 2007 Posts: 18

On 2 Maj, 23:23, Jorgen Grahn wrote:
> On Wed, 2012-05-02, dspfun wrote:
> > On 27 Apr, 20:22, Rick Jones wrote:
> >> dspfun wrote:
> >> > Does there exist a "simple configuration flag" for configuring the
> >> > Linux host either as weak or strong?
>
> >> You mean like the ndd strong_es_model ndd option in HP-UX? (And
> >> Solaris?) I doubt Linux has something like those.
>
> > Do you think it would be useful if someone spent time on adding a
> > similar option to the Linux kernel?
>
> I still don't get it. In your original posting you wrote:
>
> When using Linux as an ES (End System), Linux can be configured/used
> as supporting either the "Strong ES Model" or the "Weak ES Model".
> The default for a Linux ES is the "Weak ES Model".
>
> What's the source for that claim, and why doesn't it also explain
> /how/ this configuration is done? (I assume "you can rewrite the IP
> stack yourself" wasn't what the source meant, because that's trivially
> true and not very practical.)
>

With configuration I basically meant configuring/setting up source
based routing, filtering, arp, etc.

Brs

Rick Jones · External Since: Jun 13, 2005 Posts: 205

dspfun wrote:
> So, in order to make a Linux host (End System) strong end, all that is
> needed is:

> 1) Configure ARP (arp_filter=1 and arp_ignore=2)

> 2) Add per-interface source-based routing for outgoing traffic.

> 3) Add per-interface ingress filtering.

I cannot say that is sufficient (what I infer from "all that is
needed") but I believe they would be necessary (ie there may be more
required).

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...