stanonik@nprdc.ARPA (08/29/84)
We're thinking about running rick@seismo's serial line ip code to a machine, sdcsla, at a local university, ucsd. Our aim is to communicate with sdcsla, but not to gateway between ucsd's relatively large local network and the milnet. (sdcsla is on ucsd's local network and we're on the milnet). My reasoning, or lack thereof, runs as follows. 1) 4.2bsd assumes packets should be forwarded between network interfaces; ie, packets will be forwarded between ucsd's local network and the milnet, given the appropriate routing information. 2) routed on our machine will inform sdcsla that we are a gateway to the milnet, and routed on sdcsla will in turn inform every machine on ucsd's local network. 3) egp (kirton@usc-isif's egp) on our machine will inform every machine on the milnet that we are a gateway to ucsd's local network. 4) Has anyone else had to deal with keeping networks disjoint, both speaking IP? Any ideas on controlling 4.2bsd packet forwarding, or routed/egp routing information? Thanks, Ron Stanonik stanonik@nprdc
cak@PURDUE.ARPA (08/30/84)
From: Christopher A Kent <cak@PURDUE.ARPA> The straightforward way to avoid this is to make sure that sdcsla does not have a route to milnet; then people might send to them, but the reply packets will not be able to get out. If both ends run routed, this might be a problem -- I'm not familiar enough with routed to judge. We axed it a long time ago because it causes more trouble than it's worth. You might be able to do without running routed on the two endpoint machines. chris ----------
CERF@USC-ISI.ARPA@sri-unix.UUCP (08/30/84)
Ron, Along time ago, BBN had to introduce similar fire walls between their commercial Telenet system and the ARPANET (you may recall that BBN started Telenet and sold it to GTE later). They were concerned at that time with TOPS-20 or Tenex systems which were on both Telenet and ARPANET. At that time there was no IP and no host gateway, so they only had to block user access from one net via the host to the other. What happens if you use two hardware interfaces (one to the local net and one to the Milnet) and two copies of IP. The two copies of IP need not know about each other's existence. Users of the IP layer would need to know to route (select) IP services based on destination network. Sounds awful, but it looks to me as if you need to bifurcate the view of the world at about the gateway level if you are to maintain the fiction that your machine is a host on two system which is not, accidently, a gateway between them as well. As to actual code availability to achieve this - I dunno. Vint
drockwel@CSNET-SH.ARPA@sri-unix.UUCP (08/30/84)
From: Dennis Rockwell <drockwel@CSNET-SH.ARPA> From: stanonik@nprdc Subject: 4.2bsd gatewaying Date: 29 August 1984 1347-PDT (Wednesday) We're thinking about running rick@seismo's serial line ip code to a machine, sdcsla, at a local university, ucsd. Our aim is to communicate with sdcsla, but not to gateway between ucsd's relatively large local network and the milnet. (sdcsla is on ucsd's local network and we're on the milnet). My reasoning, or lack thereof, runs as follows. 1) 4.2bsd assumes packets should be forwarded between network interfaces; ie, packets will be forwarded between ucsd's local network and the milnet, given the appropriate routing information. There is a flag (ipforwarding) that you can set to 0 to prevent packet forwarding. You can either change it in your source, or run an adb script from rc.local to turn off the forwarding. Packets which would have been forwarded are then answered with an ICMP UNREACHABLE message. 2) routed on our machine will inform sdcsla that we are a gateway to the milnet, and routed on sdcsla will in turn inform every machine on ucsd's local network. Don't run routed unless you have to (for a local net, perhaps). In any case, turning off forwarding will stop the traffic. 3) egp (kirton@usc-isif's egp) on our machine will inform every machine on the milnet that we are a gateway to ucsd's local network. Why are you running EGP if you don't want to be a gateway? If you run it because you want to keep your routes up to date, then you should use the "egpnetsreachable" config command (in the file etc-egp) to restrict the nets that are advertised by EGP. If you are a gateway between MILNET and some local net you don't mention in your message, then you will have to hack ip_forward in netinet/ip_input.c to exclude the point-to-point net plus all the nets behind sdcsla. 4) Has anyone else had to deal with keeping networks disjoint, both speaking IP? Any ideas on controlling 4.2bsd packet forwarding, or routed/egp routing information? In addition to the above, we (CSNET) have to restrict our non-domestic X.25 sites from sending or receiving packets from the Internet. The solution in this case is (unfortunately) to hack ip_forward as mentioned above. Thanks, Ron Stanonik stanonik@nprdc Good luck! Let me know what you finally do. Dennis Rockwell CSNET Technical Staff