Re: RFC1812 and CLUSTERIP

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPatrick McHardy at <-
M 

Reply to this message
Author: Oskar Andreasson
Date:  
To: Patrick McHardy
CC: netfilter-devel
Subject: Re: RFC1812 and CLUSTERIP
Hi Patrick,

It seems to me that the CLUSTERIP target relies on multicast mac to
receive packets to several hosts at the same time. Without it, only a
single machine would actually get the data? According to RFC 1812, as
you could see in the snippet, this seems to be a prohibited behavior,
more or less.

According to the RFC 1812 snippet below, it is prohibited for a router
to handle or believe in ARP replies from another (in this case) host
that basically says, send data for this host ip address to this
multicast mac address.

If a router is perfectly RFC 1812 compliant, it should to my
understanding simply not send the packets to the host in this case. It
does however not state what to do with the packets from what i've seen.

I guess this isn't a big deal yet (maybe never, who knows), but I'd
wander and make a guess that it would be a bugger to try and find out
what the hell is going on if you actually did find yourself in the
situation?

How about either document that the (possible) problem exists,
alternatively to write some kind of check for iptables to only allow
multicast ip addresses together with the CLUSTERIP target? Since the
second suggestion probably will break some users implementations, i'd at
least suggest documenting it and/or give off a warning if people do it?

On Thu, 2006-10-26 at 00:26 +0200, Patrick McHardy wrote:
> Oskar Andreasson wrote:
> > Hi all again,
> >
> > I've snowed in on the CLUSTERIP target to some extent, and I am still
> > figuring it out to some extent.
> >
> > One question that came to mind is its use of multicast MAC addresses. Is
> > it really allowed to make use of them in the way that it is right now?
> >
> > From RFC 1812 section 3.3.2:
> >
> > ------
> > A router MUST not believe any ARP reply that claims that the Link
> > Layer address of another host or router is a broadcast or multicast
> > address.
> > ------
> >
> > As I understand it, this is exactly what the CLUSTERIP target does?
> > Behaves as if a single host has a multicast address?
>
> I'm not too familiar with the CLUSTERIP target, what behaviour
> exactly are you refering to?
This message was posted to the following mailing lists:
Netfilter Development
Mailing List Info | Nearby Messages		<-Re: new match extension to implement port knocking in oneRe: How many rules were supported iptables?->
Mailing List Archives by the Free Network Group administrated by Federico Sevilla IIILurker (version 2.1)