[ih] Origin of the loopback interface

Toerless Eckert tte at cs.fau.de
Tue Oct 24 07:32:25 PDT 2017 

On Tue, Oct 24, 2017 at 02:48:02PM +0100, Tony Finch wrote:
> > Any URL explaining why it would be an attack to accept packets
> > for an address you have on another interface ? I can not see that attack
> > vector.
> 
> I don't have a good link handy, so I'll try to explain it here...
> 
> In John's setup he assumes that a service bound to 127.0.0.1 is only
> reachable by other processes on the same host. Maybe because of that the
> service is configured to skip authentication/authorization checks.

And it should not need to (the service).

> If I'm on the same LAN as John's host, I can get packets to his supposedly
> isolated service by crafting ethernet frames with his host's MAC address
> as the destination but 127.0.0.1 as the IP destination.

Right. So at least the (IPv6) architecture security considerations
should to explain how the nodes IP stack needs to filter packets destined
to scoped addresses if received from interfaces not in that scope. Not
sure how much of that verbage exist(ed) at least back when the IPv6
architecture did still endorse site-scope addresses. Pretty sure it
was not written down for node-scoped addresses.

> You can use this trick for good as well as evil :-)

Can't come up with an example how to apply this for good.

> Back in the days of
> IP-based web virtual hosting we had a setup which bound about 96,000 IP
> addresses on the loopback interface of the web servers. The routers in
> front of these web servers had static routes configured for the loopback
> web IP addresses with a next-hop of the web server's ethernet interface.
> 
> (More details about this hack at http://fanf.livejournal.com/124030.html)

Interesting. Looks from that blog as if there is a maze of different methods
of using multiple IP addresses inside a node. Do you think that it would be
good work for IETF to think about better standardization for those mechanisms ?
There is for example draft-templin-v6ops-pdhost-15 which also looks
into that direction but received little interest in the WG so far. Not
claiming that its current payload is good or bad, just  that it goes in
that direction.

Toerless


> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Irish Sea: Southwest 6 to gale 8, decreasing 4 or 5 later. Moderate or rough.
> Rain, fog patches. Moderate, occasionally very poor.

More information about the Internet-history mailing list