From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2088421F1E0 for ; Sun, 23 Feb 2014 18:51:59 -0800 (PST) Received: by mail-wi0-f177.google.com with SMTP id e4so2531663wiv.4 for ; Sun, 23 Feb 2014 18:51:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=UjrLC5qPzYe7SPDzXMvSsUo/qVoJ8SfhV1tBSEfnXhU=; b=l89osJagom1pWXh7We28gW+FHuv0GY7PGijsfkXIIz71rrNJrtZizeY+55x+i0NSWa oFiVlLeKUBlmKrmW6eaLFeHLxGjBI9KUHkfDUhH/yK7Euo2kRPUxK4oE8ApP1I6olRKL QGwmbN9m3a3+isI9vSXHCt/2FtoiF+vw708K835c0waNWvWltomwkPV2I9oAWneHmFH3 Dr93wPzqucHV8yIjsJH6HoPWUzN4zg6wtASEJiwWMql+n6eor9Zdhj5Ro/bF06rs7b6l lGxJESVLj2UyEwqwF8c4as65eSkmwPLXfBeOD+X6Pg0/L/x2M2qDBBw7RjrFAMPjtzbD GDWQ== MIME-Version: 1.0 X-Received: by 10.180.97.37 with SMTP id dx5mr11970781wib.53.1393210318158; Sun, 23 Feb 2014 18:51:58 -0800 (PST) Received: by 10.216.8.1 with HTTP; Sun, 23 Feb 2014 18:51:58 -0800 (PST) Date: Sun, 23 Feb 2014 21:51:58 -0500 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] bcp-38 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 02:52:00 -0000 On Sun, Feb 23, 2014 at 7:43 PM, Chuck Anderson wrote: > On Sun, Feb 23, 2014 at 07:05:25PM -0500, Dave Taht wrote: >> - no bcp38 still (help?) > > Can you explain exactly what you are trying to do with the bcp38 stuff > and what makes it so complicated? I would think you just need to drop > all packets with source addresses that are not contained in locally > configured subnets? Every time I think I have a day set aside to get it done it gets eaten by something else. Anyway basic proof of concept code for it is at: https://github.com/dtaht/b= cp38 and a start of a script in ceropackages-3.10/net/bcp38. I'd started at it before we had source specific routing for ipv6 working, s= o it's looking like bcp38 for ipv6 is not needed. Yea. Still is a major probl= em on ipv4. The fw3 code has the ability to create/destroy ipsets, but not a good way to insert firewall rules based on them, and there needs to be a hook (somewhere) to allow (briefly) for dhcp derived ip addresses to be s= etup and tested for double-nat conditions (and at the very least, double-nat allowed for the first hop off of an interface) 1) What is a locally configured subnet? How do you know it's a locally configured subnet without deriving it from the entire network? You can't. BUT it is this scenario is problematic. Suppose I had a device on 172.30.41.2 (a dns server). Its router goes away. attempts to access it then result in this scenario: (true btw) 172.30.43.1 sends packets in the general direction of 172.30.41.2. But it's router (on 172.30.41.1) has failed. The route no longer exists, so the packet goes to the default gw of 172.30.42.1, get's natted and proceeds merrily on it's way to the next hop(s) outside the gateway, (so I'm sending a src addr of my external gw, to 172.30.41.2) At some point (after I've used up paid for bandwidth), something notices this... which eventually drops the packet, but the notification doesn't necessarily make it back. So what you want is to never double nat your own network when you don't have to. that if you send something to an address inside the bcp38 list, and it gets as far as the nat table, anything with a destination address in the bcp38 and rfc1918 lists should get a host unreachable message. You should drop anything in the bcp38 list. A simpler case is someone pinging the entire 10 net from within your network. your_network -> gw which nats it -> to the universe. (seen this) The exception problem is - is that many devices depend on double nat in ord= er to work right these days. Example: cable modems depend on 192.168.100.1 to be their configuration interface... even if they provide a native ip. ipsets handle adding the dynamic exceptions like that straightforwardly, ipset add bcp38-ipv4 192.168.100.1/32 nomatch And in some hook, somewhere, in the dhcp client script, there could be something that takes the supplied netmask, and adds that network to the list. For example, I typically get a 10 net with a /24 from a netgear router get dhcp addr, it's got a netmask of 255.255.255.0 and a destintation of 10.0.1.1 and is assigned 10.0.1.8, setup ipset add bcp38-ipv4 10.0.1.0/24 nomatch Lastly, on inbound, packets from bcp38 and rfc1918 derived networks should be dropped silently, by basically the same ruleset. (I do prefer a chatty internal network) Like I said, proof of concept code exists, I wanted something that could be= on by default, yet readily configurable, and survive firewall reloads as well as dhcp renews. Part of the rule set needs to go in the pre-nat table on inbound, another part before you hit nat out outbound (probly) > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html