Host model

Last updated

In computer networking, a host model is an option of designing the TCP/IP stack of a networking operating system like Microsoft Windows or Linux. When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). If the IP stack is implemented with a weak host model, it accepts any locally destined packet regardless of the network interface on which the packet was received. If the IP stack is implemented with a strong host model, it only accepts locally destined packets if the destination IP address in the packet matches an IP address assigned to the network interface on which the packet was received.

Contents

The weak host model provides better network connectivity (for example, it can be easy to find any packet arriving at the host using ordinary tools), but it also makes hosts susceptible to multihome-based network attacks. For example, in some configurations when a system running a weak host model is connected to a VPN, other systems on the same subnet can compromise the security of the VPN connection. Systems running the strong host model are not susceptible to this type of attack. [1]

The IPv4 implementation in Microsoft Windows versions prior to Windows Vista uses the weak host model. The Windows Vista and Windows Server 2008 TCP/IP stack supports the strong host model for both IPv4 and IPv6 and is configured to use it by default. However, it can also be configured to use a weak host model. [2]

The IPv4 implementation in Linux defaults to the weak host model. Source validation by reversed path, as specified in RFC 1812 can be enabled (the rp_filter option), and some distributions do so by default. This is not quite the same as the strong host model, but defends against the same class of attacks for typical multihomed hosts. arp_ignore and arp_announce can also be used to tweak this behaviour.

Modern BSDs (FreeBSD, NetBSD, OpenBSD, and DragonflyBSD) all default to the weak host model. OpenBSD since 6.6-current supports strong host model by default "if and only IP forwarding is disabled", [3] with IP forwarding enabled (and for older versions) it supports reversed path source validation via its pf firewall, using the urpf-failed option, while Free-, Net-, and DragonflyBSD provide a global sysctl options.

See also

Related Research Articles

IPv6 Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion. IPv6 is intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, who subsequently ratified it as an Internet Standard on 14 July 2017.

The Internet protocol suite is the conceptual model and set of communications protocols used in the Internet and similar computer networks. It is commonly known as TCP/IP because the foundational protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). During its development, versions of it were known as the Department of Defense (DoD) model because the development of the networking method was funded by the United States Department of Defense through DARPA. Its implementation is a protocol stack.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

Proxy ARP is a technique by which a proxy device on a given network answers the ARP queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination, and offers its own MAC address as the destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

Network address translation Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of remapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to avoid the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the networks address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

Virtual private network Allows a private network to go through a public network

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, although not an inherent, part of a VPN connection.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

IPX/SPX stands for Internetwork Packet Exchange/Sequenced Packet Exchange. IPX and SPX are networking protocols used initially on networks using the Novell NetWare operating systems, but became widely used on networks deploying Microsoft Windows LANS, as they replaced NetWare LANS.

Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance.

A default gateway is the node in a computer network using the internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet.

In computer networks, a tunneling protocol is a communications protocol that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys and certificates on smartcards through a standardized PKCS#11 interface and on TPM 2.0.

lwIP is a widely used open-source TCP/IP stack designed for embedded systems. lwIP was originally developed by Adam Dunkels at the Swedish Institute of Computer Science and is now developed and maintained by a worldwide network of developers.

In computer networking, TUN and TAP are kernel virtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

BWPing is a tool to measure bandwidth and response times between two hosts using Internet Control Message Protocol (ICMP) echo request/echo reply mechanism. It does not require any special software on the remote host. The only requirement is the ability to respond on ICMP echo request messages. BWPing supports both IPv4 and IPv6 networks.

The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the Transport Layer of the Internet Protocol Suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the protocol provides the message-oriented feature of the User Datagram Protocol (UDP), while ensuring reliable, in-sequence transport of messages with congestion control like the Transmission Control Protocol (TCP). Unlike UDP and TCP, the protocol provides multi-homing and redundant paths to increase resilience and reliability. SCTP is standardized by the Internet Engineering Task Force (IETF) in RFC 4960. The SCTP reference implementation was released as part of FreeBSD version 7, and has since been widely ported to other platforms.

References

  1. Tolley, William J. (2019-12-04). "[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections". Open Source Security Mailing List. Retrieved 2020-02-20.
  2. Davies, Joseph (2016-09-07). "The Cable Guy Strong and Weak Host Models". Microsoft Technet . Retrieved 2020-02-20.
  3. Nedvedicky, Alexandr (2019-12-08). "attention please: host's IP stack behavior got changed slightly". openbsd-tech mailing list. Retrieved 2020-02-20.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.