On Thu, Oct 17, 2019 at 09:50:28PM +0200, Bastian Kanbach wrote:
> Hello,
>
> recently I was performing some checks that relate to the "Strong Host
> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving
> different than I expected. I always assumed that the network stack of
> OpenBSD was following the "Strong Host Model", but I might be wrong with
> that:
OpenBSD does follow the "Weak Host Model". Has always been like that.
> Basically the Strong Host Model means that the network stack "accepts
> locally destined packets if the destination IP address in the packet
> matches an IP address assigned to the network interface on which the
> packet was received."
>
> FreeBSD and NetBSD have a sysctl property for this, called
> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model).
> However for OpenBSD I haven't seen such a property at all.
>
>
> Basically my setup consisted of the following virtual machines and
> network interfaces (IP-Forwarding disabled):
>
>
> VM 1 (OpenBSD 6.5):
>
> em0: 192.168.100.1/24 ("Internal Network")
>
> em1: 10.0.0.97/24 ("NAT")
>
>
> VM 2 (Ubuntu Server 18.10):
>
> ens33: 192.168.100.2/24 ("Internal Network")
>
>
> ----
>
>
> As expected, ens33 of VM2 can communicate with em0 of VM1, since both
> interfaces are associated with the same Virtualbox network, and both IP
> addresses are part of the same /24 subnet.
>
> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP
> addresses are part of different subnets and no routes were configured.
>
>
> Then I performed 2 tests:
>
>
> Test 1:
>
> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The
> packet was NOT answered by VM1.
>
This is a Layer 2 ARP test. Since 10.0.0.97 is not on that interface arp
will not answer. The host model only matters for Layer 3.
>
> Test 2:
>
> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1.
> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from
> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source
> MAC address of interface em0).
>
>
> While the behaviour of Test 1 indicates that the Strong Host Model is
> followed, Test 2 shows the behaviour of a "Weak Host Model".
No, Test 1 is not the right test for the host model.
> What of both is actually supposed to be the default for OpenBSD? Is
> there any kernel parameter to control these behaviours, like
> net.inet.ip.check_interface for FreeBSD or NetBSD?
We don't have a button and just follow the "Weak Host Model".
You can enforce a strong model per interface with pf(4):
block in on !em0 inet to (em0)
or
block in
pass in on em0 to (em0)
pass in on em1 to (em1)
--
:wq Claudio
