[44net] Information - Traffic Attempt to Route Through my Node

All, FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously. This is similar to a vector I described in my 20AUG remarks in "Security/Wiki Question - Requesting a Block." Because the source and destination IP addresses recorded could be spoofed (or the result of a misconfigured AMPR router), I do not want to alarm anyone by giving the specific address. I will note the packets contained the source address of an AMPR node and the destination of AMPRGW (i.e. another nested packet or a packet that would be de-encapsulated by AMPRGW); and were recorded over 60 seconds in a window of 24 hours. I have added the following rule to my firewall, to appear in iptables before my bogons: # THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP To add: a source IP iptables rule (based on BCP 38) had prevented these packets from forwarding. 73, - Lynwood KB3VWG /"//Archives of security comments in this forum from others suggest proper firewalling is necessary in environments running IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of NAT/masquerade co-existing in some AMPRNet nodes..."/