Re: Private address space

Mon, 05 Mar 2001 09:30:13 -0800 

At 08:02 05/03/01 -0800, Devin L. Ganger wrote:

>If you're sending anything out on the Internet from a source address of
>10.1.2.3, you're obviously going through some sort of IP masquerading or
>NAT.  The router, in this case, will be seeing the traceroute packets
>coming through with a source IP of whatever your masquerading is setting
>it to, and it will be sending ICMP ttl exceeded to *that* IP address,
>not to 10.1.2.3.
>
>Granted, if you're not doing that, then your point holds -- the router
>is sending the ICMP ttl exceeded to itself.

that's what I meant. a router with an address of 10.1.2.3 can't send an IP
packet to 10.1.2.3 over the wire. That's possible through NAT or through
other mechanisms (hacking the stack:), but it's simply bad and broken.

Responding to a traceroute is done for just one reason: allowing a host to
know the route. If it's to give him a faked answer, then it's bad practice. 
better
is to either be invisble through bridge mode or refuse the packet. Lying is 
not a
smart security measure. You'll lie to bad guys, but there are much more 
good guys
on the net!


> > [Problem 2]
> > Assume your router has a private address, say 10.1.2.3. Tell me why
> > can't I telnet to? The purpose of this question is that you come up with
> > the conditions that make it impossible to connect to your router, and
> > then compare these conditions with just blocking access to your router
> > if it had a public address.
>
>If you're not on my network, and I'm not your upstream that you're
>sending packets to by default, there's no route in the routing tables that
>can possibly send those packets to me.

unless the inbetween routers are poisened, or accept source routing...
My point is that this is possibly hard, but still possible. You need to
lock your door, not rely on others to block those. Don't rely on anyone
to help you secure your net. just your hands...

>
> > [Problem 3]
> > Now, why not use ypur router in bridge mode, in which case it is simply
> > invisible?
>
>1) There's still legitimate need for folks on *my* network to get into
>the router.

can't you config IP gateway mode for your users and bridge mode for all of us?
That'll help.
It would be a nightmare for me to do:
         traceroute www.open.net
and get
1 10.1.2.3
2 10.1.2.3
3 10.1.2.3
... and so on!


cheers,
mouss

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to