Host model

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

In networking, a host model decides how a computer’s TCP/IP stack treats an incoming unicast packet to see if it’s meant for that host.

Weak host model
- The host accepts any locally destined packet, no matter which network interface the packet arrived on.
- Pros: easier to reach and monitor across networks; good connectivity on multi-network setups.
- Cons: more vulnerable to certain attacks on multihomed hosts and VPN security can be weaker.

Strong host model
- The host only accepts a packet if its destination IP matches the IP on the receiving interface.
- Pros: better security for multihomed machines; less likely for certain spoofing or cross-network attacks.
- Cons: can reduce reachable paths in some network configurations.

How different systems implement it
- Windows: Older Windows (pre-Vista) used weak for IPv4. Windows Vista and Windows Server 2008+ use strong by default for IPv4 and IPv6, but you can switch to weak if needed.
- Linux: IPv4 defaults to weak. You can enable reverse path filtering (rp_filter) for protection, which isn’t exactly strong host but helps against related attacks. arp_ignore and arp_announce can tweak behavior.
- BSDs: Modern BSDs (FreeBSD, NetBSD, OpenBSD, DragonFly BSD) default to weak. OpenBSD has strong-by-default behavior when IP forwarding is disabled; with forwarding on, it supports reverse path checks via its pf firewall (urpf-failed). FreeBSD, NetBSD, and DragonFly BSD provide sysctl options to adjust these settings.

In short, the weak model favors connectivity, while the strong model favors security. Different operating systems choose different defaults, with knobs to tweak behavior.