BCP38 tester?

• Previous message (by thread): BCP38 tester?
• Next message (by thread): BCP38 tester?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/31/13, Karl Auer <kauer at biplane.com.au> wrote:
> On Mon, 2013-04-01 at 15:07 +1100, Mark Andrews wrote:
>> In message <1364787851.2136.7.camel at karl>, Karl Auer writes:
>> > A side effect of NAT is to clamp the source address range

>> It depends on how the nat is configured.
> OK - how does one configure NAT so that the source addresses of outbound
> packets are NOT clamped to a configured range on the outside of the NAT
> device? Given this general scenario, of course:

He said it depends on how NAT is configured;  but really, before it
depends on that -- it first depends on what kind of device is used,
and what kind of NAT is being implemented.

In some implementations, only certain ranges of source IP addresses
are subject to translation.    They might be NAT'ing based on network,
interface, or access-list.

>    Inside                                      Outside
>    Nasty spoofing scum ----> NAT ---> helpless victims
>                           Outbound --->


It occurs that if the CPE are /truly/  clamping the Source address
space,  then essence,
BCP38  is essentially happening at the CPE.

If your packet source address is clamped, then, by definition a host
can't spoof a packet, right;  so maybe that's not a host that needs to
be tested further  (the upstream provider might still have no BCP38,
it's just not exposed to that particular host).

Unless, of course, there are protocols your NAT device passes
unaltered such as possibly ICMP,  or  ICMPv6,   in case   NAT only
applies to IPv4,  a host behind the NAT might still be able to spoof
IPv6  source addresses.

--
-JH

• Previous message (by thread): BCP38 tester?
• Next message (by thread): BCP38 tester?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]