Re: multiple ip addresses on a sinle NIC

[Neale Banks <neale () lowendale com au>]

On Mon, 20 Jul 1998, Tally Jones wrote:

> what are the implications of binding more than one IP addresse
> on the same NIC card.( unlike having a multihomed gateway or
> bastion host). each interface of NIC could be binded to more 
> than one IP address....but why ?[ this is often done by ISPs
> whom i cantacted lately and they said that this way they could
> host more web servers on the same machine, instead of having a 
> different host. each ip addrress mappeed points to a different 
> directory ]

First, this can be implementation dependent.  For example last time I
looked at SCO's implementation (5.0) they were not creating discrete
sub-interfaces - so you could not refer to these additional interfaces in
the IP routing table.  OTOH, both Linux and Solaris (and no doubt others)
create a discrete interface (cajoling the higher layers into believing
there is correspodning hardware?) which can be refered to in the IP
routing table.

In my experience, where discrete interfaces are created, you can control
the _source_ address (and therefore potentially influence the _return_
traffic path) by having appropriate entries in the routing table.

> From a security point of view two questions come to mind:

1) How robust is such an arrangement?

2) Does it detract from or enhance security?

The nswer to the second question in particular will depend on the specific
circumstances. 

> but what about the setting of the rules about Network access 
> and Network address translation etc. how would they respond to
> such a scenario. please email me a ccof your responses as i am
> working on such a scenario and how it would compromixe security.

IMHO, with a _proper_ implementation of discrete sub-interfaces the
answers to these questions _should_ be the same as if one had a battery of
physical interfaces.  Perhaps that's part of the definition of a proper
implementation of multiple IPs on one NIC?

Regards,
Neale.