Try sniffing a network when someone is running SecuRemote :-)
(I must admit that i did not have a copy of the trace in front of me when I
described the traffic below, but the gist of it is correct :-(.
Crispin Harris
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 11 June 2001 8:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: This is a must read document. It will freak you out
>
>
> Ouch!
>
> Care to name the offending party, so those of us who have a choice
> can avoid it?
>
> David Gillett
>
>
> On 11 Jun 2001, at 10:05, Crispin Harris wrote:
>
> > One thing about egress filtering which I noted recently.
> >
> > If the leaf node is using VPN software, you may be in for a
> surprise!
> >
> > At least one major vendor of VPN client software performs
> the Virtual
> > functions by re-writing the source address of the packet:
> >
> > Mobile PC: -A-
> > VPN Gateway: -B-
> > Protected Server: -C-
> >
> > Communicating from -A- to -C- via -B-:
> > On A:
> > Packet 1:
> > SRC: A
> > DST: B
> >
> > Packet 2:
> > SRC: -C-
> > DST: B
> >
> > This product rewrites the packet so that the gateway sees
> an incomming
> > packet with the final destination as the source!
> > (Not very nice eh?)
> >
> > Regards,
> > Crispin Harris
> >
> > > -----Original Message-----
> > > From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> > > Sent: Sunday, 10 June 2001 11:59 PM
> > > To: [EMAIL PROTECTED]
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: This is a must read document. It will freak you out
> > >
> > >
> > > On Sun, 10 Jun 2001 [EMAIL PROTECTED] wrote:
> > >
> > > > Egress filtering at border points is appropriate for leaf
> > > networks.
> > >
> > > Which is exactly what I'm proposing.
> > >
> > > > Many ISPs, though, also ferry third-party traffic
> between their
> > > > peering points; it would be inappropriate for them to
> > > accept traffic
> > > > that an egress rule elsewhere will prevent them from delivering.
> > >
> > > Egress rules don't prevent anything from being delivered if
> > > the egress is
> > > legitimate.
> > >
> > > > This isn't to day that it can't or shouldn't be done,
> only that
> > > > determining how much filtering should be done, and at which
> > > routers,
> > > > may be less simple for multi-homed ISPs than it sounds.
> > >
> > > Once again, I'm stressing that end-user network filtering be the
> > > major point of egress filtering, not ISP networks.
> > >
> > > ISPs can do fairly easy filtering based on prefixes they
> transit or
> > > announce, but I agree with the contention that the
> > > aggragation of traffic
> > > is too much at those points to not affect performance by
> > > filtering in the
> > > transit space. ISP's hosting networks should, of course
> employ egress
> > > filtering, but in that case, they're acting as a leaf node,
> > > not a transit
> > > entity.
> > >
> > > Paul
> > > --------------------------------------------------------------
> > > ---------------
> > > Paul D. Robertson "My statements in this message are
> > > personal opinions
> > > [EMAIL PROTECTED] which may have no basis
> whatsoever in fact."
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
