site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Oct 19, 2006, at 10:59 AM, Derek Kumar wrote: Hi Derek, yes - the same participants ! He commented ... Regards.....Peter _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... As I noted the last time this came up (and that thread involved the same participants, as I recall :), RFC 1812's router forwarding algorithm requires compliant implementations to forward packets to the appropriate interface (where the most specific or "longest" network prefix matches that of the packet's destination) regardless of the origin of the packet; empirically, routers at places such as Apple, Oracle, Cisco, nVidia, MIT and my comcast cable modem don't seem to have any trouble doing this. Certain installations aren't configured to do this, but unless you encounter this configuration, I wouldn't make any assumptions about the necessity of a second subnet etc. I did some investigation after our earlier discussion. Since I don't write router-type code, I asked a Mac developer who does it for a living.

Not forwarding packets back out the same interface they arrived on is

actually a feature of many advanced routers. Open Transport had three

IP Forwarding settings: (1) off; (2) automatic; and (3) forward. The

"automatic" setting was added to provide just the behavior above which

is generally seen as more robust.

The reasons are:

(1) The packet can be delivered directly and the administrator may

prefer the router to send an ICMP redirect to tell the sender to do so

as this makes better use of the routers interface bandwidth.

(2) A packet may arrive at the wrong interface due to a network

configuration error, unintended routing loop, or malicious attack. By

not forwarding such packets, we prevent a common class of packet storms

or routing errors that might escalate into more serious problems. This

is similar to the concept of "Split Horizon Routing" <http://

www.webopedia.com/TERM/S/split_horizon.html>

Advanced routers should provide an option to select the RFC compatible

forwarding behavior, but the "automatic" mode has become so widely

deployed and recommended, I'm not surprised to hear some small routers

just implement it by default.

The default gateway at my day-job is a CheckPoint firewall and it is indeed configured this way. I also tried three of the small routers commonly used for home or SOHO, from Linksys, D-Link and an older MacSense. None of these would forward a packet to the incoming interface. This email sent to site_archiver@lists.apple.com