On Mon, Mar 05, 2001 at 06:01:54PM +0100, mouss wrote:
> At 08:02 05/03/01 -0800, Devin L. Ganger wrote:
> >If you're sending anything out on the Internet from a source address of
> >10.1.2.3, you're obviously going through some sort of IP masquerading or
> >NAT. The router, in this case, will be seeing the traceroute packets
> >coming through with a source IP of whatever your masquerading is setting
> >it to, and it will be sending ICMP ttl exceeded to *that* IP address,
> >not to 10.1.2.3.
> >
> >Granted, if you're not doing that, then your point holds -- the router
> >is sending the ICMP ttl exceeded to itself.
> that's what I meant. a router with an address of 10.1.2.3 can't send an IP
> packet to 10.1.2.3 over the wire. That's possible through NAT or through
> other mechanisms (hacking the stack:), but it's simply bad and broken.
I will re-iterate: the situations under which this can be done either
indicate that you are on my network, a downstream of mine whose default
route is to shove everything at me, or exploiting a very bad
misconfiguration of my routers. If it's the latter, then I've got much
bigger configuration issues to deal with than using private addresses.
> Responding to a traceroute is done for just one reason: allowing a host to
> know the route. If it's to give him a faked answer, then it's bad practice.
192.168.x.y isn't a faked answer if that's what the box is configured
as. Since proper security is done in layers, using private IP ranges
for network equipment, in conjunction with other best-practice security
measures, means that it is that much harder for non-legitimate users to
attack, confuse, or spoof my routers.
> better is to either be invisble through bridge mode or refuse the packet.
> Lying is not a smart security measure.
Using private IPs is not lying.
--
Devin L. Ganger <[EMAIL PROTECTED]>
A guy, his car, his miss, his nerve;
He kissed his miss and missed the curve.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
