Damn, why doesn't this list have the default reply-to address as the list? Then it would be much easier to followup threads to the list instead of accidentally sending replies direct to the sender and then having to forward them on :| Dan ------- Forwarded message follows ------- On 5 Mar 2001, at 17:53, mouss wrote: > At 15:06 05/03/01 +0000, Daniel Crichton wrote: > >Should have copied this to the list as well. > > I did send my msg to the ML:) I meant my reply to you :( > It's here that I come! > If I understand you: the router with 10.1.2.3 as one of its addresses sends an > IP packet to 10.1.2.3 over the wire? That would be a revolutionary stack. No, a router with address 10.1.2.3 in the route sends an ICMP reply to your machine that you traceroute from (if it's your router then the private IP address will be NATted, right?) which gets passed to the next router upstream as being from 10.1.2.3. That router knows how to get to your public address, it doesn't care that the source on the reply is 10.1.2.3. When you receive it all the ICMP packet tells your machine is that it came from 10.1.2.3 - if that's your router or the one further up the route it doesn't matter (and the only different is the TTL value so traceroute can list which hop in the route sent back the packet), but you can't send data back to that router as it will go to yours instead. This demonstrates why ingress filtering is a necessity - if someone floods your network with packets that have a source of 10.1.2.3 then all replies go to your router, and tie up resources. > Come on. I'm not talking about sessions, TCP or anything else. I'm fully in > plain IP. just routing, nothing more. when a host with an IP address 1.2.3.4 > needs to send an IP packet to 1.2.3.4, then it realizes that this is one of > its addresses and hand it to the local handler. But the ICMP replies don't work quite that way - you're not sending packets to the router at 10.1.2.3, your sending them to w.x.y.z and 10.1.2.3 just happens to be on the route. As I mentioned above the remote 10.1.2.3 takes the packet that is going to w.x.y.z and returns a reply back if the TTL value matches it's position in the trace. > uhummmm.... > - IP options allow source routing. so if the router doesn't disallow these, > you're gonna get'em - If I manage to router poisoning, then I can come to your > door. These are not easy, but IP still allows'em. That's what I meant by not > relying on other routers. If you wanna feel secure, lock your door, yourself. > don't count on "them". I know, I was just mentioning that normal routing would result in the packets being discarded. > If your router allows you to use bridge mode on a rule basis, then you can > configure it visible from your hosts and invisble for the rest of us. This is > better than giving it a private addr. Until someone finds an exploit to get around that and then they have a public IP address to attack. Also giving it a private IP helps to obfuscate it to the outside world. Dan ------- End of forwarded message ------- --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
