[Swan] rp_filter security implications

John Crisp jcrisp at safeandsoundit.co.uk
Thu Mar 5 19:41:34 EET 2015

On 05/03/15 16:55, Paul Wouters wrote:
> On Thu, 5 Mar 2015, John Crisp wrote:
>> I have been asked about the security implications of disabling
>> rp_filtering on a server to run libreswan.
>> Can someone give some advice on this please ?
> rp_filter is basically an implementation of RFC-3704
> https://tools.ietf.org/html/rfc3704

Thank you

> The easy answer is, "If you implement BCP38 on your routers, then the
> impact is limited to the IPsec host itself".
> If they did not implement BCP38, then this one little host is probably
> not going to make much difference.

Ah, so if you are behind a router you don't control - e.g. a VM online
such as I am testing on, then the answer is it is exposed and is there
an increased security risk, no matter how small the host :-)

Also, a lot of our users are SMEs using the server software behind
probably fairly basic routers. Is there any way to tell if BCP38 is
implemented on routers ?

> You can try and enable it on some of the interfaces.

Indeed I had considered that thank you.

I had been advised that PPTP did not have such issues (running basically
on CentOS 6 - and yes I know how bad PPTP is and I am trying to replace
it) - is there a particular reason why it is is an issue with Libreswan
(or presumably IPSEC) and if there is anything that can be done about it ?

B. Rgds

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150305/53523185/attachment.sig>

More information about the Swan mailing list