[Swan] rp_filter security implications

Paul Wouters paul at nohats.ca
Thu Mar 5 17:55:07 EET 2015


On Thu, 5 Mar 2015, John Crisp wrote:

> I have been asked about the security implications of disabling
> rp_filtering on a server to run libreswan.
>
> Can someone give some advice on this please ?

rp_filter is basically an implementation of RFC-3704

https://tools.ietf.org/html/rfc3704

So check out the introducion of that document.

The easy answer is, "If you implement BCP38 on your routers, then the
impact is limited to the IPsec host itself".

If they did not implement BCP38, then this one little host is probably
not going to make much difference.

You can try and enable it on some of the interfaces.

Paul


More information about the Swan mailing list