Largely, yes... W
On Tue, Aug 19, 2025 at 6:16 PM, Joel Halpern <[email protected]> wrote: > Off-list: Does this mean that any IP source spoof prevention mechanism > needs an exception for ICMP error packets sourced from 192.0.0.8? > > Yours, > > Joel > > On 8/19/2025 6:07 PM, Warren Kumari via NANOG wrote: > > On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <[email protected]> > wrote: > > > > > There are other reasons to do it intentionally. > > >> > > Yup, there are other intentional places where you can emit packets which > are not announced. > > > > > For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 > Residual Deployment via IPv6 - A Stateless Solution (4rd)" > <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: > "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it > MUST synthesize an ICMPv4 error packet [RFC792]. This packet > MUST contain the first 8 octets of the discarded packet's IP > payload. The reserved IPv4 dummy address (192.0.0.8/32; see > Section 6) MUST be used as its source address." > > > > > W > > > > > You can use 10/8 to exfiltrate data. So you could have a receiving system > > that catalogs every 10.x IP address and then assembles them in order for a > bit stream. You can exfiltrate data pretty quickly. Think of it like a > number station. > > >> > > Jonathan Kalbfeld > > >> > > office: +1 310 317 7933 > fax: +1 310 317 7901 > home: +1 310 317 7909 > mobile: +1 310 227 1662 > > >> > > ThoughtWave Technologies, Inc. > Studio City, CA 91604 > > >> > > https://thoughtwave.com > > >> > > View our network at > > >> > > https://bgp.he.net/AS54380 > > >> > > +1 844 42-LINUX > > >> > > On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <[email protected]> > wrote: > > >> > > On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote: > > >> > > Sure. A large American mobile operator did that with a lot of their DNS > traffic for a couple of months. :-) > > >> > > Of course you may be talking about doing it _intentionally_. I don???t > know of a reason to do it, but sure, it can be done. It???ll get dropped by > anybody running uRPF. > > >> > > I don't remember if it was at SANE 2000 or 2002, but I was talking with a > gentleman who was discussing network security with me and he described that > his employer had just patented his technique for discovering "leaks", rogue > connections, etc., in a secured network. He was being very mysterious so I > asked him how his technique was different than the classic trawling around > shooting packets with various source addresses at various targets within a > network. Which is what they thought was unique and patentable. > > >> > > So the point is that if you have an unrouted prefix, you can monitor the > authorized uplink from a network to see if traffic sprayed within the > network is seeing plausible response traffic addressed to that unrouted > prefix, but also if you happen to have a ROUTABLE prefix, you can also > detect rogue uplinks and stuff like that by seeing what does actually > arrive at the routed network. > > >> > > This is not exactly what the OP asked about, but it is in the same > ballpark and may be interesting to someone. The ICMP response answer posted > by Mr. Heitz is obviously more common as are the accidental > misconfiguration class of answers. > > >> > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "The strain of anti-intellectualism has been a constant thread winding its > way through our political and cultural life, nurtured by the false notion > that democracy means that 'my ignorance is just as good as your > knowledge.'"-Asimov > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/ > HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/ > <https://lists.nanog.org/archives/list/[email protected]/message/HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/> > > >> > > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/ > PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/ > <https://lists.nanog.org/archives/list/[email protected]/message/PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/> > > >> > > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/MHFSGEQUXX6ENXCHSTOX2646X64MKSHU/ > > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/M67A3QZHSZSDDFGGK54QQULAKUIVUX6F/ > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/5LYVBMLTSDG25R55SWYEN4YUQORV2IDI/
