[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BCP38 tester?
- Subject: BCP38 tester?
- From: mysidia at gmail.com (Jimmy Hess)
- Date: Mon, 1 Apr 2013 01:31:41 -0500
- In-reply-to: <1364792091.2136.15.camel@karl>
- References: <[email protected]> <1364787851.2136.7.camel@karl> <[email protected]> <1364792091.2136.15.camel@karl>
On 3/31/13, Karl Auer <kauer at biplane.com.au> wrote:
> On Mon, 2013-04-01 at 15:07 +1100, Mark Andrews wrote:
>> In message <1364787851.2136.7.camel at karl>, Karl Auer writes:
>> > A side effect of NAT is to clamp the source address range
>> It depends on how the nat is configured.
> OK - how does one configure NAT so that the source addresses of outbound
> packets are NOT clamped to a configured range on the outside of the NAT
> device? Given this general scenario, of course:
He said it depends on how NAT is configured; but really, before it
depends on that -- it first depends on what kind of device is used,
and what kind of NAT is being implemented.
In some implementations, only certain ranges of source IP addresses
are subject to translation. They might be NAT'ing based on network,
interface, or access-list.
> Inside Outside
> Nasty spoofing scum ----> NAT ---> helpless victims
> Outbound --->
It occurs that if the CPE are /truly/ clamping the Source address
space, then essence,
BCP38 is essentially happening at the CPE.
If your packet source address is clamped, then, by definition a host
can't spoof a packet, right; so maybe that's not a host that needs to
be tested further (the upstream provider might still have no BCP38,
it's just not exposed to that particular host).
Unless, of course, there are protocols your NAT device passes
unaltered such as possibly ICMP, or ICMPv6, in case NAT only
applies to IPv4, a host behind the NAT might still be able to spoof
IPv6 source addresses.
--
-JH