On 05/03/15 16:55, Paul Wouters wrote: > On Thu, 5 Mar 2015, John Crisp wrote: > >> I have been asked about the security implications of disabling >> rp_filtering on a server to run libreswan. >> >> Can someone give some advice on this please ? > > rp_filter is basically an implementation of RFC-3704 > > https://tools.ietf.org/html/rfc3704 >
Thank you > The easy answer is, "If you implement BCP38 on your routers, then the > impact is limited to the IPsec host itself". > > If they did not implement BCP38, then this one little host is probably > not going to make much difference. Ah, so if you are behind a router you don't control - e.g. a VM online such as I am testing on, then the answer is it is exposed and is there an increased security risk, no matter how small the host :-) Also, a lot of our users are SMEs using the server software behind probably fairly basic routers. Is there any way to tell if BCP38 is implemented on routers ? > > You can try and enable it on some of the interfaces. > Indeed I had considered that thank you. I had been advised that PPTP did not have such issues (running basically on CentOS 6 - and yes I know how bad PPTP is and I am trying to replace it) - is there a particular reason why it is is an issue with Libreswan (or presumably IPSEC) and if there is anything that can be done about it ? B. Rgds John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
