[TriLUG] spoofing mac addresses

Ryan Leathers Ryan.Leathers at globalknowledge.com
Thu Aug 12 14:42:21 EDT 2004


Well behaved protocols keep L3 info at L3 and L4 info at L4 and so on.  Not
so well behaved protocols don't share the same fidelity.  Session
information in the payload rather than in the header is a tough bugger when
you toss NAT in the mix.  Ya it can be done, but its a pain.  Cisco lumps
this into their "fix-up" options in some of their hardware for example.

-----Original Message-----
From: Aaron Joyner [mailto:aaron at joyner.ws]
Sent: Thursday, August 12, 2004 2:12 PM
To: Triangle Linux Users Group discussion list
Subject: Re: [TriLUG] spoofing mac addresses


What precisely is the problem with NATing SIP connections?  Is it that 
SIP is port-less, some other protocol, not TCP? (gre perhaps?)  If 
that's the case, a kernel module akin to the ip_conntrack_ftp would be 
capable of handling the translations necessary (although different from 
what conntrack_ftp does, it could tie into the iptables implementation 
in a similar manner, I'd think).  I haven't really looked into this 
very thoroughly, but would be interested in knowing more about the 
limitations.  Perhaps we can brain-storm it at the meeting tonight if 
you're coming, Jon?

Aaron J.


On Aug 12, 2004, at 10:26 AM, Jon Carnes wrote:

> On Thu, 2004-08-12 at 09:57, Reginald Reed wrote:
>> Another way to do this is for your code to "be the IP stack" bypassing
>> the kernel IP stack altogether.  Using libnet and libpcap, you
>> basically roll your own packets to send and anything received, you
>> filter based on what you're looking for (combo of IP address and
>> destination MAC, etc) and process accordingly.  This is pretty easy
>> for UDP, TCP adds a few challenges.  My team his written several
>> internal tools that use this method to scale traffic generation and
>> network simulation stuff using Python (with wrapped libnet and libpcap
>> functions).
>>
>> --Reggie
>
> Interesting... This would give you the ability to write a Voice Proxy
> Firewall for dealing with phones behind NAT'ed firewalls. The current
> price for such software is $4k to $12k.
>
> It would be great to see an open source version of one of these (or a
> cheaper version that ran on Linux).
>
> Jon Carnes
>
> -- 
> TriLUG mailing list        : 
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc

-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc



More information about the TriLUG mailing list