How linode network infrastructure deals with IP spoofing?
From the docs: >> For security reasons, IPv6 forwarding is not available on the Linode network. This is enforced by our network infrastructure.
1) Does it mean that any IPv6 packet originating from a linode with a spoofed source IPv6 address will be dropped by the network infrastructure (and the recipient in the same data center may safely assume so)?
2) Since forwarding is allowed for IPv4, does it mean that the recipient should make no assumption about validity of the source IP address, even when the source IP address is a private IP address?
4 Replies
Also, Would linode routers filter out incoming traffic with source IPv6 claiming (spoofed) to be belonging to a server inside the data center?
Why these questions? - If you have several linodes in the same data center you need to know if incoming packets claiming to be from your server IPs are truly from your servers.
I have just run a test between my 3 servers, A, B and C, where the server A was trying to ping server C with a source IP set (spoofed) to that of server B.
I used ip6tables -t nat … -j SNAT … to do the spoofing.
The packets did not arrive to C.
Looks like the linode network prevents the sender from spoofing the source IPv6.
The question still remains if the network would accept an incoming (from internet) external IPv6 packet with a source IP matching any IPv6 assigned to any server inside the network.
Ideally, I think, the network should drop those packets.
Unfortunately I can't test that. My ISP offers only IPv4 addresses.
I'm not an expert myself, but I've spoken with a member of our Network Ops team and can shed some light on this scenario.
Let's say we have Linode A, Linode B, and Server C. If someone sent a packet from Server C outside our network to Linode A via IPv6, and was spoofing the IPv6 address of Linode B, then Linode A would receive the packet as normal. From there, if Linode A responds to the packet, the reply would be routed to Linode B since it's being sent to the IPv6 address of Linode B. Server C wouldn't receive a reply back, since Server C's actual IP address was not mentioned in the packet.
I'd always recommend encrypting sensitive data to ensure there's multiple layers of security. We have a guide on setting up WireGuard on a Linode here. WireGuard is a VPN I use personally and highly recommend.
Thank you for clarifying this!
Basically it means that without encryption one needs to be extra careful (must encrypt) with udp services where application level protocol does not require some form handshake and might perform some action in response to received packets.
I have tried WireGuard, and just love it's clarity of design, simplicity and reliability!
But any encryption comes at a cost of extra CPU cycles, increased latency and lower throughput. I'm trying to avoid those costs when it is reasonably safe to do so.