On 3/31/13, Karl Auer <kauer@biplane.com.au> wrote:
On Mon, 2013-04-01 at 15:07 +1100, Mark Andrews wrote:
In message <1364787851.2136.7.camel@karl>, Karl Auer writes:
A side effect of NAT is to clamp the source address range
It depends on how the nat is configured. OK - how does one configure NAT so that the source addresses of outbound packets are NOT clamped to a configured range on the outside of the NAT device? Given this general scenario, of course:
He said it depends on how NAT is configured; but really, before it depends on that -- it first depends on what kind of device is used, and what kind of NAT is being implemented. In some implementations, only certain ranges of source IP addresses are subject to translation. They might be NAT'ing based on network, interface, or access-list.
Inside Outside Nasty spoofing scum ----> NAT ---> helpless victims Outbound --->
It occurs that if the CPE are /truly/ clamping the Source address space, then essence, BCP38 is essentially happening at the CPE. If your packet source address is clamped, then, by definition a host can't spoof a packet, right; so maybe that's not a host that needs to be tested further (the upstream provider might still have no BCP38, it's just not exposed to that particular host). Unless, of course, there are protocols your NAT device passes unaltered such as possibly ICMP, or ICMPv6, in case NAT only applies to IPv4, a host behind the NAT might still be able to spoof IPv6 source addresses. -- -JH