Hi,
To avoid talking about different things, I'll make myself a bit more clear
(tell me if I'm not).
[Problem 1]
assume my host is 10.1.2.3. Now assume that your router has the same address.
Can you explain to me how I can traceroute through your router. More precisely,
tell me what happens in your router stack when it is sending me an ICMP ttl
exceeded.
[Problem 2]
Assume your router has a private address, say 10.1.2.3. Tell me why can't I
telnet to? The purpose of this question is that you come up with the conditions
that make it impossible to connect to your router, and then compare these
conditions with just blocking access to your router if it had a public address.
[Problem 3]
Now, why not use ypur router in bridge mode, in which case it is simply
invisible?
some short comments inline.
At 13:40 02/03/01 -0500, Jose Nazario wrote:
>On Fri, 2 Mar 2001, mouss wrote:
>
> > agreed, but the router is sending me packets back, no?
>
>yes. by filling in a blank (aka SOURCE IP).
I don't see why an IP stack will send packets destined to 10.1.2.3 to
a remote host while this is one of its addresses. This is simply against
routing!
> > how do these come to me?
>
>ICMP (these are ICMP TTL EXCEEDED messages) is stateless, so you don't
>have to set up a connection between two endpoints. it's just a postcard in
>the wind. so, you can put ANY address in the source IP field and it will
>get to the destination SO LONG AS THE ROUTERS ALONG THE WAY ALL KNOW HOW
>TO GET IT THERE.
My point is that you can't put ANY address in the source IP field!
The address used is that of the outging interface, and if the packet is
going to
the same, then it's not going over the wire.
> that's the key. the destination address of a
>connectionless message "stream" or a simple packet has to be valid, the
>source doesn't. hence the ease of UDP and ICMP spoofing etc ...
To spoof, you need work. We're talking about standard IP operations.
>no, i think you understand it incorrectly.
see the beginning of this message.
>here's the catch about what you're saying above: "While it's not easy to
>reach a 10.1.2.3 router, it's still possible ....". not necessarily. let's
>say you wanted to ping my router, 10.1.1.1, from way over there, outside
>my network. to get to MY 10.1.1.1 router, every router along the way would
>have to know where to shove that 10.1.1.1 destination packet. they don't,
>by convention. [there is NOTHING magical about these numbers, they're just
>conventions codified by RFC1918.] that's the hitch. yu have to know how to
>get there. if you want to make a TCP connection, now the source IP *is*
>important, as it's where the destination on the return packets will be
>set.
you're clearly misunderstading me:)
>look, again, this is really basic IP stuff. if this isn't making sense,
>contact me offlist or go to a good bookstore and pick up some IP books. i
>am especially fond of cisco's IP fundamentals books (not their IOS docs,
>but their real honest to God IP stuff that isn't all about IOS.
As we say in french, "confidence for confidence", I recommend:
"TCP/IP illustrated", vol 1&2, Wright & Stevens
"Unix Network programming", vol 1&2, Stevens
BSD source code,
These are the best you can ever smell (Cisco docs require too much time for
what they provide. the website is hard to follow, and the printed books are
too long for the real infos they contain...).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
