On Fri, 2 Mar 2001, mouss wrote:
> agreed, but the router is sending me packets back, no?
yes. by filling in a blank (aka SOURCE IP).
> how do these come to me?
ICMP (these are ICMP TTL EXCEEDED messages) is stateless, so you don't
have to set up a connection between two endpoints. it's just a postcard in
the wind. so, you can put ANY address in the source IP field and it will
get to the destination SO LONG AS THE ROUTERS ALONG THE WAY ALL KNOW HOW
TO GET IT THERE. that's the key. the destination address of a
connectionless message "stream" or a simple packet has to be valid, the
source doesn't. hence the ease of UDP and ICMP spoofing etc ...
super basic IP stuff here.
> I don't like relying on priv addresses to block threats. While it's
> not easy to reach a 10.1.2.3 router, it's still possible, unless you
> have things that block, but then you can just give it a public addr
> and block the undesired packets. no?
no, i think you understand it incorrectly.
say my network is 11.65/24. that's easy. say i have three routers (one
border and two LAN). if i give them *internal* addresses, router to router
interfaces, of 11.65.i.j, i have to filter them at the border if i want to
protect them. (and hell yes, i want to. you shouldn't be able to snmpwalk
or telnet to my internal routers as far as i am concerned, i'm a big
jerk that way, yes.) if i move them to 10/8 space, i can simply ingress
(and egress, i would hope) filter 10/8 at my border. blammo. now you can't
get to my routers from outside.
here's the catch about what you're saying above: "While it's not easy to
reach a 10.1.2.3 router, it's still possible ....". not necessarily. let's
say you wanted to ping my router, 10.1.1.1, from way over there, outside
my network. to get to MY 10.1.1.1 router, every router along the way would
have to know where to shove that 10.1.1.1 destination packet. they don't,
by convention. [there is NOTHING magical about these numbers, they're just
conventions codified by RFC1918.] that's the hitch. yu have to know how to
get there. if you want to make a TCP connection, now the source IP *is*
important, as it's where the destination on the return packets will be
set.
look, again, this is really basic IP stuff. if this isn't making sense,
contact me offlist or go to a good bookstore and pick up some IP books. i
am especially fond of cisco's IP fundamentals books (not their IOS docs,
but their real honest to God IP stuff that isn't all about IOS.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
