All,
FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously.
This is similar to a vector I described in my 20AUG remarks in "Security/Wiki Question - Requesting a Block."
Because the source and destination IP addresses recorded could be spoofed (or the result of a misconfigured AMPR router), I do not want to alarm anyone by giving the specific address. I will note the packets contained the source address of an AMPR node and the destination of AMPRGW (i.e. another nested packet or a packet that would be de-encapsulated by AMPRGW); and were recorded over 60 seconds in a window of 24 hours. I have added the following rule to my firewall, to appear in iptables before my bogons:
# THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
To add: a source IP iptables rule (based on BCP 38) had prevented these packets from forwarding.
73,
- Lynwood KB3VWG
/"//Archives of security comments in this forum from others suggest proper firewalling is necessary in environments running IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of NAT/masquerade co-existing in some AMPRNet nodes..."/