36:
389:
175:
is implemented with a weak host model, it accepts any locally destined packet regardless of the network interface on which the packet was received. If the IP stack is implemented with a strong host model, it only accepts locally destined packets if the destination IP address in the packet matches an
224:
defaults to the weak host model. Source validation by reversed path, as specified in RFC 1812 can be enabled (the rp_filter option), and some distributions do so by default. This is not quite the same as the strong host model, but defends against the same class of attacks for typical multihomed
183:-based network attacks. For example, in some configurations when a system running a weak host model is connected to a VPN, other systems on the same subnet can compromise the security of the VPN connection. Systems running the strong host model are not susceptible to this type of attack.
244:) all default to the weak host model. OpenBSD since 6.6-current supports strong host model by default "if and only IP forwarding is disabled", with IP forwarding enabled (and for older versions) it supports reversed path source validation via its
179:
The weak host model provides better network connectivity (for example, it can be easy to find any packet arriving at the host using ordinary tools), but it also makes hosts susceptible to
434:
171:
must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). If the
427:
119:
463:
160:
420:
57:
100:
458:
72:
453:
53:
79:
46:
172:
86:
68:
213:
and is configured to use it by default. However, it can also be configured to use a weak host model.
203:
133:
372:
312:
191:
168:
149:
404:
307:
248:
firewall, using the urpf-failed option, while Free-, Net-, and
DragonflyBSD provide a global
396:
361:
145:
334:
93:
164:
17:
447:
245:
199:
195:
241:
365:
180:
35:
283:"[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections"
176:
IP address assigned to the network interface on which the packet was received.
225:
hosts. arp_ignore and arp_announce can also be used to tweak this behaviour.
282:
400:
237:
229:
157:
249:
233:
206:
141:
388:
221:
153:
335:"attention please: host's IP stack behavior got changed slightly"
261:
217:
210:
187:
29:
373:"vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior"
368:- Requirements for Internet Hosts -- Communication Layers
408:
209:
stack supports the strong host model for both IPv4 and
60:. Unsourced material may be challenged and removed.
428:
8:
308:"The Cable Guy Strong and Weak Host Models"
435:
421:
120:Learn how and when to remove this message
273:
7:
385:
383:
58:adding citations to reliable sources
333:Nedvedicky, Alexandr (2019-12-08).
407:. You can help Knowledge (XXG) by
25:
287:Open Source Security Mailing List
281:Tolley, William J. (2019-12-04).
387:
34:
45:needs additional citations for
198:uses the weak host model. The
140:is an option of designing the
1:
306:Davies, Joseph (2016-09-07).
480:
382:
339:openbsd-tech mailing list
27:Computer networking term
18:Host model (networking)
464:Network software stubs
144:stack of a networking
54:improve this article
459:Computer networking
204:Windows Server 2008
134:computer networking
454:Internet protocols
220:implementation in
194:versions prior to
190:implementation in
416:
415:
313:Microsoft Technet
192:Microsoft Windows
150:Microsoft Windows
130:
129:
122:
104:
16:(Redirected from
471:
437:
430:
423:
391:
384:
376:
349:
348:
346:
345:
330:
324:
323:
321:
320:
303:
297:
296:
294:
293:
278:
146:operating system
125:
118:
114:
111:
105:
103:
62:
38:
30:
21:
479:
478:
474:
473:
472:
470:
469:
468:
444:
443:
442:
441:
380:
371:
358:
353:
352:
343:
341:
332:
331:
327:
318:
316:
305:
304:
300:
291:
289:
280:
279:
275:
270:
258:
126:
115:
109:
106:
63:
61:
51:
39:
28:
23:
22:
15:
12:
11:
5:
477:
475:
467:
466:
461:
456:
446:
445:
440:
439:
432:
425:
417:
414:
413:
392:
378:
377:
369:
357:
356:External links
354:
351:
350:
325:
298:
272:
271:
269:
266:
265:
264:
257:
254:
128:
127:
42:
40:
33:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
476:
465:
462:
460:
457:
455:
452:
451:
449:
438:
433:
431:
426:
424:
419:
418:
412:
410:
406:
403:article is a
402:
398:
393:
390:
386:
381:
375:. 2005-12-14.
374:
370:
367:
363:
360:
359:
355:
340:
336:
329:
326:
315:
314:
309:
302:
299:
288:
284:
277:
274:
267:
263:
260:
259:
255:
253:
251:
247:
243:
239:
235:
231:
228:Modern BSDs (
226:
223:
219:
214:
212:
208:
205:
201:
200:Windows Vista
197:
196:Windows Vista
193:
189:
184:
182:
177:
174:
170:
166:
163:arrives at a
162:
159:
155:
151:
147:
143:
139:
135:
124:
121:
113:
110:December 2019
102:
99:
95:
92:
88:
85:
81:
78:
74:
71: –
70:
66:
65:Find sources:
59:
55:
49:
48:
43:This article
41:
37:
32:
31:
19:
409:expanding it
394:
379:
342:. Retrieved
338:
328:
317:. Retrieved
311:
301:
290:. Retrieved
286:
276:
242:DragonflyBSD
227:
215:
185:
178:
137:
131:
116:
107:
97:
90:
83:
76:
69:"Host model"
64:
52:Please help
47:verification
44:
448:Categories
344:2020-02-20
319:2020-02-20
292:2020-02-20
268:References
138:host model
80:newspapers
399:-related
252:options.
181:multihome
156:. When a
401:software
256:See also
173:IP stack
397:network
238:OpenBSD
230:FreeBSD
158:unicast
94:scholar
364:
250:sysctl
240:, and
234:NetBSD
207:TCP/IP
161:packet
142:TCP/IP
96:
89:
82:
75:
67:
395:This
222:Linux
154:Linux
148:like
101:JSTOR
87:books
405:stub
366:1122
262:uRPF
218:IPv4
216:The
211:IPv6
202:and
188:IPv4
186:The
165:host
136:, a
73:news
362:RFC
152:or
132:In
56:by
450::
337:.
310:.
285:.
246:pf
236:,
232:,
169:IP
167:,
436:e
429:t
422:v
411:.
347:.
322:.
295:.
123:)
117:(
112:)
108:(
98:·
91:·
84:·
77:·
50:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.