[Swan] rp_filter security implications
John Crisp
jcrisp at safeandsoundit.co.uk
Thu Mar 5 19:41:34 EET 2015
On 05/03/15 16:55, Paul Wouters wrote:
> On Thu, 5 Mar 2015, John Crisp wrote:
>
>> I have been asked about the security implications of disabling
>> rp_filtering on a server to run libreswan.
>>
>> Can someone give some advice on this please ?
>
> rp_filter is basically an implementation of RFC-3704
>
> https://tools.ietf.org/html/rfc3704
>
Thank you
> The easy answer is, "If you implement BCP38 on your routers, then the
> impact is limited to the IPsec host itself".
>
> If they did not implement BCP38, then this one little host is probably
> not going to make much difference.
Ah, so if you are behind a router you don't control - e.g. a VM online
such as I am testing on, then the answer is it is exposed and is there
an increased security risk, no matter how small the host :-)
Also, a lot of our users are SMEs using the server software behind
probably fairly basic routers. Is there any way to tell if BCP38 is
implemented on routers ?
>
> You can try and enable it on some of the interfaces.
>
Indeed I had considered that thank you.
I had been advised that PPTP did not have such issues (running basically
on CentOS 6 - and yes I know how bad PPTP is and I am trying to replace
it) - is there a particular reason why it is is an issue with Libreswan
(or presumably IPSEC) and if there is anything that can be done about it ?
B. Rgds
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150305/53523185/attachment.sig>
More information about the Swan
mailing list