[vpn-help] virtual adapter routing broken on Ubuntu 10.04??

r hayman rhayman at visi.com
Tue Jul 13 15:08:40 CDT 2010


I have an answer to my own question.

According to RFC1812 - Requirements for IP Version 4 Routers (snippet
below), arguably it appears that Ubuntu 10.04 (and 9.04) desktop do not
adhere to this RFC since they implement the Source Address Validation
and enable it by default.  One can argue that Ubuntu desktop is not an
IPv4 router per se.; regardless, disabling this feature on the
client/remote host side of the VPN (the host that runs the ShrewSoft VPN
client) resolves the problem with virtual adapter (ModeConfig)
configurations not being able to see or ping the remote LAN.

> 5.3.8 Source Address Validation
> 
>    A router SHOULD IMPLEMENT the ability to filter traffic based on a
>    comparison of the source address of a packet and the forwarding table
>    for a logical interface on which the packet was received.  If this
>    filtering is enabled, the router MUST silently discard a packet if
>    the interface on which the packet was received is not the interface
>    on which a packet would be forwarded to reach the address contained
>    in the source address.  In simpler terms, if a router wouldn't route
>    a packet containing this address through a particular interface, it
>    shouldn't believe the address if it appears as a source address in a
>    packet read from this interface.
> 
>    If this feature is implemented, it MUST be disabled by default.
> 
>    DISCUSSION
>       This feature can provide useful security improvements in some
>       situations, but can erroneously discard valid packets in
>       situations where paths are asymmetric.

Disabling Source Address Validation is a double-edge sword, particularly if 
the client machine is directly connected to the Internet since packet spoofing
malware has a much easier time with this disabled.




More information about the vpn-help mailing list