DigiMoon 맘대로 닦고 조이고 기름치는 재미가 있는 DigiMoon만의 기억 저장소

Posted
Filed under 컴퓨터 탐구/리눅스
출처 :
https://access.redhat.com/site/solutions/53031

Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?
왜 Red Hat Enterprise Linux 6는 아웃바운드 트래픽 경로가 인바운드 트래픽 경로와 다르면 패킷을 무효화/폐기하는가?



문제

• Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?
• 왜 Red Hat Enterprise Linux 6는 아웃바운드 트래픽 경로가 인바운드 트래픽 경로와 다르면 패킷을 무효화/폐기하는가?

• Why does Red Hat Enterprise Linux 6 differ from Red Hat Enterprise Linux 5 in handling asymmetrically routed packets?
• 왜 Red Hat Enterprise Linux 6는 비대칭적으로 라우트된 패킷 핸들링을 Red Hat Enterprise Linux 5와는 다르게 하는가?


환경

• Red Hat Enterprise Linux (RHEL) 6


해결


Temporary change
일시 변경

To accept asymmetrically routed (outgoing routes and incoming routes are different) packets set "rp_filter" to 2 and restart networking, by running the following commands:
비대칭 라우트(송신 경로와 수신 경로가 서로 다른)된 패킷 적용 위해 "rp_filter"를 2로 세팅하고 아래의 명령 실행으로 네트워킹을 재시작하십시오.

    # echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
    # echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter



Persistent change
영구 변경

To make this behaviour persistent across reboots, modify /etc/sysctl.conf and make the following change prior to reboot:
리붓해도 영구 적용 위해, /etc/sysctl.conf을 열고 리붓하기 전 아래 변경을 적용하십시오.

    net.ipv4.conf.default.rp_filter = 2




근본 원인

RHEL6 (unlike RHEL5) defaults to using 'Strict' Reverse Path Forwarding (RPF) filtering.
RHEL6(RHEL5와는 달리)는 기본값으로 'Strict' Reverse Path Forwarding (RPF) 필터링을 사용하고 있습니다.

Comments
코멘트

The sysctl net.ipv4.conf.default.rp_filter selects the default RPF filtering setting for IPv4 networking. (It can be overridden per network interface through net.ipv4.interfacename.rp_filter).
sysctl net.ipv4.conf.default.rp_filter는 기본값인 IPv4 networking용 RPF 필터링 세팅을 선택합니다. (그것은 net.ipv4.interfacename.rp_filter를 통해 네트워크 인터페이스 단위로 대체될 수 있습니다)
sysctl net.ipv4.conf.default.rp_filter

Both RHEL6 and RHEL5 ship with a default /etc/sysctl.conf that sets this sysctl to 1, but the meaning of this value is different between the RHEL6 and the RHEL5 kernel.
RHEL6와 RHEL5 모두 /etc/sysctl.conf 기본값이 1이지만, 이 값의 의미는 RHEL6와 RHEL5 커널 간 차이가 있습니다.


In RHEL5, the sysctl is documented as follows (cf. /usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ip-sysctl.txt):
RHEL5에서 sysctl은 문서에서 다음과 같이 언급하고 있습니다. (cf. /usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ip-sysctl.txt):

rp_filter - BOOLEAN
        1 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.
            단일 홈과 종단 네트워크(stub network) 라우터를 위한 RFC1812 권장 옵션에 지정된 대로, 확보된 경로에 의해 소스를 확인합니다. 속도가 느린 신뢰할 수 없는 프로토콜(RIP 종류), 또는 정적 경로(static routes)를 실행하는 복잡한(loop free가 아닌) 네트워크에 대해 문제가 발생할 수 있습니다.

        0 - No source validation.
            소스 확인하지 않음.

        conf/all/rp_filter must also be set to TRUE to do source validation
        on the interface
        conf/all/rp_filter는 소스 확인을 위하여 또한 TRUE로 세팅되어야 합니다.

        Default value is 0. Note that some distributions enable it
        in startup scripts.
        기본값은 0입니다. 몇몇 배포판이 시작 스크립트에서 그것을 활성하는 것을 염두에 두십시오.

whereas in RHEL6(cf. /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt) there are three possible values for this setting:
반면 이 세팅을 위한 3개의 가능한 값이 있는 RHEL6에서는:

rp_filter - INTEGER
            정수형
        0 - No source validation.
            소스 확인하지 않음.

        1 - Strict mode as defined in RFC3704 Strict Reverse Path
            Each incoming packet is tested against the FIB and if the interface
            is not the best reverse path the packet check will fail.
            By default failed packets are discarded.
            RFC3704 Strict Reverse Path에 정의된 Strice mode(제한 모드)
            각 수신 패킷은 FIB와 비교하여 테스트되고 인터페이스가 최적의 역방향 경로가 아니라면 그 패킷은 실패할 것입니다.
            실패한 패킷은 기본값에 의해 폐기됩니다.

        2 - Loose mode as defined in RFC3704 Loose Reverse Path
            Each incoming packet's source address is also tested against the FIB
            and if the source address is not reachable via any interface
            the packet check will fail.
            RFC3704 Loose Reverse Path에 정의된 Loose mode(느슨 모드)
            각 수신 패킷의 출발지 주소는 또한 FIB와 비교하여 테스트되고 출발지 주소가 어떤 인터페이스를 통한 도달을 못한다면 그 패킷은 실패합니다.

        Current recommended practice in RFC3704 is to enable strict mode
        to prevent IP spoofing from DDos attacks. If using asymmetric routing
        or other complicated routing, then loose mode is recommended.
        RFC3704에서 현재 권장하는 방법은 DDos 공격으로부터 IP spoofing을 방지하기 위해 strict mode를 활성하는 것입니다. 비대칭 라우팅 또는 다른 복잡한 라우팅을 사용한다면 loose mode를 권장합니다.

        conf/all/rp_filter must also be set to non-zero to do source validation
        on the interface
        conf/all/rp_filter는 소스 확인을 위하여 또한 non-zero로 세팅되어야 합니다.

        Default value is 0. Note that some distributions enable it
        in startup scripts.         
        기본값은 0입니다. 몇몇 배포판이 시작 스크립트에서 그것을 활성하는 것을 염두에 두십시오.

with the value 2 corresponding to the behaviour that value 1 provided in RHEL5.
값 2는 RHEL5에서 제공되는 값 1과 일치.

Thus, RHEL6's default setting is more strict than RHEL5's, as RHEL6 follows the Strict Reverse Path Forwarding filtering recommended in RFC 3704, Ingress Filtering for Multihomed Networks.
그러므로, RHEL6의 기본 세팅은 RFC 3704에서 권장하는 Strict Reverse Path Forwarding 필터링을 따름으로써 RHEL5의 그것보다 더 엄격합니다.
Creative Commons License
2014/06/11 02:47 2014/06/11 02:47

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

디지문닷넷 :: [RHEL] Why does Red Hat Enterprise Linux 6 invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?