nanog mailing list archives

Re: BCP38 tester?

From: Alain Hebert <ahebert () pubnix net>
Date: Mon, 01 Apr 2013 09:34:31 -0400

On 04/01/13 04:02, Karl Auer wrote:

On Mon, 2013-04-01 at 01:31 -0500, Jimmy Hess wrote:

On 3/31/13, Karl Auer <kauer () biplane com au> wrote:

OK - how does one configure NAT so that the source addresses of outbound
packets are NOT clamped to a configured range on the outside of the NAT
device? Given this general scenario, of course:

He said it depends on how NAT is configured
[...]
In some implementations, only certain ranges of source IP addresses
are subject to translation.

Um - if no address translation takes place, then, by definition, NAT has
not taken place.

So it may well be that a particular device, capable of doing NAT and
other things, of NATting some packets but not others, may permit
spoofed-because-not-NATted outbound packets, but I remain unconvinced
that a spoofed packet can make it through a NAT process and head
outbound without getting its source address clamped to a configured
range of outside addresses.

Now I'm imagining a NAT process that translates only *destination*
addresses - hm, is there such a beast?

Continuing to seek enlightenment...

Regards, K.

    While I was reading this... thinking that a NAT is a NAT is a NAT...
    ( I spend "some" time writing/porting NAT code in my youth )

    I'm sad to confirm that my spoof test was successful with a:

        . SageMCom modem+router, which is used by a big TelCo around my
part, for both their residential and commercial ADSL2+, VDSL customers.

        . 4 well know Tier-2(?) provider :( why I'm wasting time filling
up "paper" LoA if its only going to be used for BGP.

    But on the other hand... it failed on a:

        . Cisco (*cought* LinkSys) WRT54G loaded with DD-WRT v2.4-sp2
micro (2010/10/09);

        . SonicWall 2040 with 4.2.1.3;

        . Thompson SpeedTouch 516;

        ( I'm looking around for more CPE I could "use", for testing =D )

    PS: I'm not promoting the listed vendor, products.  Its only a quick
test with what I had on my hand during breakfast.

-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

Current thread:

Re: BCP38 tester? Dobbins, Roland (Apr 01)
- <Possible follow-ups>
- Re: BCP38 tester? Karl Auer (Apr 01)
  - Re: BCP38 tester? Dobbins, Roland (Apr 01)
  - Re: BCP38 tester? Jimmy Hess (Apr 01)
    - Re: BCP38 tester? Jay Ashworth (Apr 01)
    - Re: BCP38 tester? Matt Palmer (Apr 01)
    - Re: BCP38 tester? Jimmy Hess (Apr 02)
    - Re: BCP38 tester? Jay Ashworth (Apr 02)
  - Re: BCP38 tester? Alain Hebert (Apr 01)
    - Re: BCP38 tester? Valdis . Kletnieks (Apr 01)
    - Re: BCP38 tester? Alain Hebert (Apr 01)
- Re: BCP38 tester? Peter Baldridge (Apr 01)
  - Message not available
    - Re: BCP38 tester? Peter Baldridge (Apr 01)
- Re: BCP38 tester? Jima (Apr 01)
  - Re: BCP38 tester? Alain Hebert (Apr 01)
- Re: BCP38 tester? Jay Ashworth (Apr 01)
- RE: BCP38 tester? Frank Bulk (iname.com) (Apr 01)