Try sniffing a network when someone is running SecuRemote :-) (I must admit that i did not have a copy of the trace in front of me when I described the traffic below, but the gist of it is correct :-(. Crispin Harris > -----Original Message----- > From: dgillett@deepforest.org [mailto:dgillett@deepforest.org] > Sent: Monday, 11 June 2001 8:12 PM > To: firewalls@Lists.GNAC.NET > Subject: RE: This is a must read document. It will freak you out > > > Ouch! > > Care to name the offending party, so those of us who have a choice > can avoid it? > > David Gillett > > > On 11 Jun 2001, at 10:05, Crispin Harris wrote: > > > One thing about egress filtering which I noted recently. > > > > If the leaf node is using VPN software, you may be in for a > surprise! > > > > At least one major vendor of VPN client software performs > the Virtual > > functions by re-writing the source address of the packet: > > > > Mobile PC: -A- > > VPN Gateway: -B- > > Protected Server: -C- > > > > Communicating from -A- to -C- via -B-: > > On A: > > Packet 1: > > SRC: A > > DST: B > > > > Packet 2: > > SRC: -C- > > DST: B > > > > This product rewrites the packet so that the gateway sees > an incomming > > packet with the final destination as the source! > > (Not very nice eh?) > > > > Regards, > > Crispin Harris > > > > > -----Original Message----- > > > From: Paul D. Robertson [mailto:proberts@patriot.net] > > > Sent: Sunday, 10 June 2001 11:59 PM > > > To: dgillett@deepforest.org > > > Cc: firewalls@Lists.GNAC.NET > > > Subject: RE: This is a must read document. It will freak you out > > > > > > > > > On Sun, 10 Jun 2001 dgillett@deepforest.org wrote: > > > > > > > Egress filtering at border points is appropriate for leaf > > > networks. > > > > > > Which is exactly what I'm proposing. > > > > > > > Many ISPs, though, also ferry third-party traffic > between their > > > > peering points; it would be inappropriate for them to > > > accept traffic > > > > that an egress rule elsewhere will prevent them from delivering. > > > > > > Egress rules don't prevent anything from being delivered if > > > the egress is > > > legitimate. > > > > > > > This isn't to day that it can't or shouldn't be done, > only that > > > > determining how much filtering should be done, and at which > > > routers, > > > > may be less simple for multi-homed ISPs than it sounds. > > > > > > Once again, I'm stressing that end-user network filtering be the > > > major point of egress filtering, not ISP networks. > > > > > > ISPs can do fairly easy filtering based on prefixes they > transit or > > > announce, but I agree with the contention that the > > > aggragation of traffic > > > is too much at those points to not affect performance by > > > filtering in the > > > transit space. ISP's hosting networks should, of course > employ egress > > > filtering, but in that case, they're acting as a leaf node, > > > not a transit > > > entity. > > > > > > Paul > > > -------------------------------------------------------------- > > > --------------- > > > Paul D. Robertson "My statements in this message are > > > personal opinions > > > proberts@patriot.net which may have no basis > whatsoever in fact." > > > > > > - > > > [To unsubscribe, send mail to majordomo@lists.gnac.net with > > > "unsubscribe firewalls" in the body of the message.] > > > > > - > > [To unsubscribe, send mail to majordomo@lists.gnac.net with > > "unsubscribe firewalls" in the body of the message.] > > > > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]