[162014] in North American Network Operators' Group
Re: BCP38 tester?
daemon@ATHENA.MIT.EDU (Karl Auer)
Mon Apr 1 04:02:59 2013
From: Karl Auer <kauer@biplane.com.au>
To: nanog@nanog.org
Date: Mon, 01 Apr 2013 19:02:40 +1100
In-Reply-To: <CAAAwwbUB-8G==ZzCtn_C5Yncd_t2==KNT_POZFdVPHW9BLS55g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 2013-04-01 at 01:31 -0500, Jimmy Hess wrote:
> On 3/31/13, Karl Auer <kauer@biplane.com.au> wrote:
> > OK - how does one configure NAT so that the source addresses of outbound
> > packets are NOT clamped to a configured range on the outside of the NAT
> > device? Given this general scenario, of course:
>
> He said it depends on how NAT is configured
> [...]
> In some implementations, only certain ranges of source IP addresses
> are subject to translation.
Um - if no address translation takes place, then, by definition, NAT has
not taken place.
So it may well be that a particular device, capable of doing NAT and
other things, of NATting some packets but not others, may permit
spoofed-because-not-NATted outbound packets, but I remain unconvinced
that a spoofed packet can make it through a NAT process and head
outbound without getting its source address clamped to a configured
range of outside addresses.
Now I'm imagining a NAT process that translates only *destination*
addresses - hm, is there such a beast?
Continuing to seek enlightenment...
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389
GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
