Exactly, I tried the same using FreeBSD and NetBSD.
Setting net.inet.ip.check_interface=1 on FreeBSD stopped any ICMP Echo
replies immediately.
On NetBSD I set net.inet.ip.checkinterface=1 and it showed the same
behaviour like FreeBSD. No replies anymore, whenever the "wrong"
interface was contacted.
So basically my question is which model OpenBSD is following. If it's
supposed to use the "strong model" as default, I'd have expected that it
would behave like Free-/NetBSD with check_interface/checkinterface set
to 1. If OpenBSD uses the "weak model" by default then the observed
behaviour is as expected.
However I was wondering that there is no kernel parameter at all to
adjust this behaviour.
Thanks,
Bastian
Am 18.10.19 um 02:03 schrieb Aaron Mason:
> Bastian
>
> Did you perform this same test in FreeBSD/NetBSD? What were your results?
>
> Seems to me that the results you got in test 2 are entirely consistent
> with normal behaviour - you are routing packets to the 10.0.0.0/24
> network via 192.168.100.1, so it will return a ping from 10.0.0.97 -
> the other interface on VM1 - as the packet was passed from em0 to em1,
> from which the reply was initiated.
>
> Of course, I could be wrong. if you haven't already done so, try the
> same tests in (Free|Net)BSD with net.inet.ip.check_interface set to 1
> and see what you get.
>
> On Fri, Oct 18, 2019 at 6:53 AM Bastian Kanbach <b.kanb...@posteo.de> wrote:
>> Hello,
>>
>> recently I was performing some checks that relate to the "Strong Host
>> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving
>> different than I expected. I always assumed that the network stack of
>> OpenBSD was following the "Strong Host Model", but I might be wrong with
>> that:
>>
>> Basically the Strong Host Model means that the network stack "accepts
>> locally destined packets if the destination IP address in the packet
>> matches an IP address assigned to the network interface on which the
>> packet was received."
>>
>> FreeBSD and NetBSD have a sysctl property for this, called
>> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model).
>> However for OpenBSD I haven't seen such a property at all.
>>
>>
>> Basically my setup consisted of the following virtual machines and
>> network interfaces (IP-Forwarding disabled):
>>
>>
>> VM 1 (OpenBSD 6.5):
>>
>> em0: 192.168.100.1/24 ("Internal Network")
>>
>> em1: 10.0.0.97/24 ("NAT")
>>
>>
>> VM 2 (Ubuntu Server 18.10):
>>
>> ens33: 192.168.100.2/24 ("Internal Network")
>>
>>
>> ----
>>
>>
>> As expected, ens33 of VM2 can communicate with em0 of VM1, since both
>> interfaces are associated with the same Virtualbox network, and both IP
>> addresses are part of the same /24 subnet.
>>
>> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP
>> addresses are part of different subnets and no routes were configured.
>>
>>
>> Then I performed 2 tests:
>>
>>
>> Test 1:
>>
>> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The
>> packet was NOT answered by VM1.
>>
>>
>> Test 2:
>>
>> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1.
>> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from
>> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source
>> MAC address of interface em0).
>>
>>
>> While the behaviour of Test 1 indicates that the Strong Host Model is
>> followed, Test 2 shows the behaviour of a "Weak Host Model".
>>
>>
>> What of both is actually supposed to be the default for OpenBSD? Is
>> there any kernel parameter to control these behaviours, like
>> net.inet.ip.check_interface for FreeBSD or NetBSD?
>>
>>
>> Thanks,
>>
>> Bastian
>>
>>
>>
>>
>
