/32 subnet

Thomas Liske liske at ibh.de
Sun Feb 8 09:06:52 UTC 2009 

Hi,

On Sat, 7 Feb 2009, Gunther Mayer wrote:

> Damjan wrote:
>>>> But an iptables rule does the same thing, no?
>>>> 
>>> Not exactly: you may need it, but it's not enough. Here's an example:  you 
>>> have a switched network, without any fancy features on the switch;  some 
>>> clients; one Linux gateway with iptables and Chillispot, and an  iptables 
>>> rule dropping client-to-client traffic.
>>> 
>>> In a classical setup, each client will get the same subnet. Therefore, 
>>> when an application tries to reach another client, the IP stack will  not 
>>> forward the packet to the gateway, but directly to the other  client. 
>>> Iptables cannot do anything: it is not involved in this  exchange.
>>> 
>> 
>> right, but the /32 trick can be so easilly bypassed it's not real
>> security at all. If your L2 domain is not separated, you can't do
>> anything.
>> 
>> BTW, at least some Ubuntu versions with Avahi installed, would also add
>> 169.254.0.0/16 alias address to the interface and announce itself to the
>> network. Without L2 separation (on APs and switches) the users will
>> still see each other *automatically* even with that /32 trick.
>> 
>
> After all the discussion I've seen it seems to me that the noc2c option 
> provides just another layer of security, albeit one that may easily be 
> circumvented.

Not at all. This depends on the transport layer protocol. You will never 
be able to establish Tcp connections (if you protect the broadcast domain 
from arp spoofing at least for the gateway). On the other hand, a firewall 
would'n protect you from spoofed (Udp based) DNS replies, the nc2c option 
does neither.

> If you really want *proper* isolation you'll need a layer 2 firewall such as 
> ebtables on all your switching/bridging equipment behind coova, i.e. all 
> switches, a/p's etc. that are used to enlarge the coverage of your coova 
> hotspot. The core rule would drop everything not destined or originating from 
> the gateway (coova).

I think real L2 isolation is hard to get:
  - AP isolation feature: what's about clients connected to another AP in
    the same domain?
  - Cisco WLC: to expensive for small setups, but provides real (wireless)
    client isolation with multiple APs
  - HP Protected Ports: works only per switch -> same problem as
    with multiple stand alone APs
  - Cisco Private VLANs: expensive again - all switches need to support
    it but you get real client isolation

If you have only one switch or one AP for you HotSpot clients, there is no 
problem to get some low cost L2 isolation. But for larger setup it is not 
always an option.


 	Thomas

More information about the Chilli mailing list