Extreme Networks

Article ID: 14035

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 7.11.01.0025 and higher
K-Series, all firmware

Discussion
Prior to release 7.x (applies to N-Series), HostDos was a term used to encompass multifaceted protection of the system's host IP stack, along with check spoof protection for transit frames being routed through the system (5417).

As of release 7.x (applies to S/N/K-Series), HostDos applies only to multifaceted protection of the host IP stack, while the 'ip checkspoof strict-mode' and 'ip checkspoof loose-mode' commands have been added to provide check spoof protection for transit frames being routed through the system.

N-Series firmware 7.11.01.0025 release notes state:HOSTDOS
Use of checkspoof was limited in ECMP topologies. Checkspoof required
the interface a packet was received on to also be an interface in a
route to the source of the packet. With ECMP topologies, a packet
destined for a router interface on a stub network could arrive from a
neighbor router also on the stub network because ECMP on neighboring
routers directed the packet in that direction. This would cause a
checkspoof error. We have now implemented 'ip checkspoof loose-mode'
that weakens the restriction to only requiring a route to source of the
packet ignoring the interface the packet arrived on. The option 'ip
checkspoof strict-mode' provides the legacy feature.
During a N-Series 6.x to 7.x firmware upgrade (13533), in order to maintain the same functionality...

• if the command 'hostdos checkspoof' is used at the router level; then upon upgrade to 7.x the original command will have been moved to the non-loopback interface level as 'ip checkspoof strict-mode' (to protect the interface).
• if the command 'hostdos checkspoof' is used at the interface level; then upon upgrade to 7.x the original command will have been changed to 'ip checkspoof strict-mode' (to protect the interface).
• if the command 'hostdos land' is used at the router and/or interface level; then upon upgrade to 7.x the original command will have been moved to the switch level as 'hostdos land' (to protect the host) - with a maximum of one such resulting switch command.
• if the command 'hostdos fragmicmp' is used at the router and/or interface level; then upon upgrade to 7.x the original command will have been moved to the switch level as 'hostdos icmpfrag' (to protect the host) - with a maximum of one such resulting switch command.
• if the command 'hostdos largeicmp' is used at the router and/or interface level; then upon upgrade to 7.x the original command will have been moved to the switch level and 'hostdos icmpsize' (to protect the host) - with a maximum of one such resulting switch command.
• if the command 'hostdos portscan' is used at the router and/or interface level; then upon upgrade to 7.x the original command will have been moved to the switch level as 'hostdos portscan' (to protect the host) - with a maximum of one such resulting switch command.

Note that the use of 6.x router 'hostdos checkspoof', or 6.x interface 'hostdos checkspoof', or 7.x interface 'ip checkspoof strict-mode' can be incompatible with VRRP on the same system.

The 7.x CLI Reference Guide states, for 'ip checkspoof' command usage:Network configurations that utilize VRRP may have connectivity issues to
the backup interfaces when using checkspoof strict-mode. Under this
circumstance, traffic may be routed via what appears to be the non-best
path to the backup interface, due to the inherent nonsymmetric nature of
VRRP routing. Strict-mode checkspoof rejects frames that do not ingress
the "best" interface. When utilizing VRRP, use the loose-mode version of
checkspoof. This mode verifies that the source IP in the packet is at
least in a "known" network.