BCP38 Deployment

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Mar 29 03:42:57 UTC 2012


On Wed, 28 Mar 2012 13:36:49 -0700, Leo Bicknell said:

> I think some engineers need to ask some interesting questions, like
> how, in a box doing NAT to an outside IP, does it ever emit a packet
> not from that outside IP?  The fact that you can spoof packets
> through some of the NAT implementations out there is mind-blowing
> to me.

The mind-blowing part for me:  Look at the MIT spoofing website, at
what percent of the net's address space is spoofable.  Then consider
what percent of the net is behind a NAT (either consumer grade,
or enterprise NAT).

http://spoofer.csail.mit.edu/summary.php

They're reporting that 20% or so (eyeballing) is unable to spoof due
to a NAT.  From that, and a guess of what % is *really* behind a NAT,
we can make an estimate of how common this failure mode is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120328/34957193/attachment.sig>


More information about the NANOG mailing list