Re: Hiding NATs with PF

From: Simon Farnsworth (usenet_at_farnz.org.uk)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 22:26:24 +0100

Max Bolingbroke wrote:

>> Assuming the person who sets the NAT router up is competent, it's not an
>> issue. However, it's not uncommon for internal routing infrastructure to
>> be running on RFC 1918 private IP addresses (the same batch you'll choose
>> your private addresses from). If you (by accident or through stupidity)
>> start letting your "private" addresses through, you could kill parts of
>> their campus routing by poisoning ARP tables.
>
> Ah, thats interesting! Sounds like a mistake thats pretty hard to make
> though, not on the order of the serious routing overhead they describe.
>
On the other hand, make it, and you have the potential to completely trash
their routing, to the point that they have to send someone round with a
laptop to work out which segment is confusing things.

>> You and I share one IP via NAT; said IP is registered to you. I break
>> into a bank's computer system. When the authorities come to get you, you
>> point the finger at me. I point the finger at you, and we have a
>> standoff. By banning NAT routers, your upstream can get you for
>> unauthorised NAT even if they can't get you for the break-in.
>
> You're right, I didn't consider a scenario with two users.
>
Incidentally, I used to know an admin of a university network with the same
policy. His view on it was that unofficially, they didn't go looking for
breaches of this rule, but if a security incident brought it to their
attention, you were *toast* (as in facing the risk of being thrown out
altogether). I would guess that you're in a similar situation, so bear that
risk in mind, and get your configs *right* first time :) 

-- 
Simon Farnsworth