nanog mailing list archives
Re: BCP38 tester?
From: Alain Hebert <ahebert () pubnix net>
Date: Mon, 01 Apr 2013 09:34:31 -0400
On 04/01/13 04:02, Karl Auer wrote:
On Mon, 2013-04-01 at 01:31 -0500, Jimmy Hess wrote:On 3/31/13, Karl Auer <kauer () biplane com au> wrote:OK - how does one configure NAT so that the source addresses of outbound packets are NOT clamped to a configured range on the outside of the NAT device? Given this general scenario, of course:He said it depends on how NAT is configured [...] In some implementations, only certain ranges of source IP addresses are subject to translation.Um - if no address translation takes place, then, by definition, NAT has not taken place. So it may well be that a particular device, capable of doing NAT and other things, of NATting some packets but not others, may permit spoofed-because-not-NATted outbound packets, but I remain unconvinced that a spoofed packet can make it through a NAT process and head outbound without getting its source address clamped to a configured range of outside addresses. Now I'm imagining a NAT process that translates only *destination* addresses - hm, is there such a beast? Continuing to seek enlightenment... Regards, K.
While I was reading this... thinking that a NAT is a NAT is a NAT... ( I spend "some" time writing/porting NAT code in my youth ) I'm sad to confirm that my spoof test was successful with a: . SageMCom modem+router, which is used by a big TelCo around my part, for both their residential and commercial ADSL2+, VDSL customers. . 4 well know Tier-2(?) provider :( why I'm wasting time filling up "paper" LoA if its only going to be used for BGP. But on the other hand... it failed on a: . Cisco (*cought* LinkSys) WRT54G loaded with DD-WRT v2.4-sp2 micro (2010/10/09); . SonicWall 2040 with 4.2.1.3; . Thompson SpeedTouch 516; ( I'm looking around for more CPE I could "use", for testing =D ) PS: I'm not promoting the listed vendor, products. Its only a quick test with what I had on my hand during breakfast. ----- Alain Hebert ahebert () pubnix net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Current thread:
- Re: BCP38 tester? Dobbins, Roland (Apr 01)
- <Possible follow-ups>
- Re: BCP38 tester? Karl Auer (Apr 01)
- Re: BCP38 tester? Dobbins, Roland (Apr 01)
- Re: BCP38 tester? Jimmy Hess (Apr 01)
- Re: BCP38 tester? Jay Ashworth (Apr 01)
- Re: BCP38 tester? Matt Palmer (Apr 01)
- Re: BCP38 tester? Jimmy Hess (Apr 02)
- Re: BCP38 tester? Jay Ashworth (Apr 02)
- Re: BCP38 tester? Alain Hebert (Apr 01)
- Re: BCP38 tester? Valdis . Kletnieks (Apr 01)
- Re: BCP38 tester? Alain Hebert (Apr 01)
- Message not available
- Re: BCP38 tester? Peter Baldridge (Apr 01)
- Re: BCP38 tester? Alain Hebert (Apr 01)