Home page logo
/

nanog logo nanog mailing list archives

Re: BCP38 tester?
From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 1 Apr 2013 04:37:21 -0500

On 4/1/13, Karl Auer <kauer () biplane com au> wrote:
So it may well be that a particular device, capable of doing NAT and
other things, of NATting some packets but not others, may permit

Yes.  Many NAT devices of reasonable quality are fully capable of such things.

And  skipping NAT or NAT'ing the source IP address on the outgoing
interface to the same as the source IP address the packet had on the
incoming interface,    is the likely default,  when  NAT has been
configured based on source IP address range,  on some devices.

spoofed-because-not-NATted outbound packets, but I remain unconvinced
that a spoofed packet can make it through a NAT process and head
outbound without getting its source address clamped to a configured
range of outside addresses.

Ah, but did you actually test your guess on a reasonably large variety
of NAT platforms?
It just takes 1 instance of the right platform to be in significant
use for something to be different than expected.

I remain unconvinced that all CPEs in all common configurations will
clamp the source address to a legitimate one in all cases.

It would just be way too much luck and convenience for that to happen
by coincidence.


Now I'm imagining a NAT process that translates only *destination*
addresses - hm, is there such a beast?

Of course there is...  in some implementations  you may need two NAT
rules to define a 1:1; a source NAT rule, and a destination NAT rule;
if you define only   the Source NAT rule, you just translate the
source IP address ranges selected to the translation IP address
range(s) selected for outgoing connections, and new incoming
connections are not translated;  if you define only the DNAT rule, you
translate only the WAN interface destination IP for incoming
connections,  and outgoing connections are not translated.


In various implementations
 you can have full-cone NAT, address-restricted cone NAT,
port-restricted cone NAT,  symmetric NAT,  and various combinations
and variations  (even different kinds of NAT in different directions),
 for each of source and destination address,  with or without storage
of a mapping for return traffic.

Different source or destination IP ranges or TCP/UDP ports might be
NAT'ed differently or not at all.

Not all implementations allow all possible useful NAT configurations.




Continuing to seek enlightenment...

Regards, K.
--
-JH


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]