12 Oct
2016
12 Oct
'16
12:53 a.m.
As it is probably just a misconfiguration it would be wise to publish
the address, or at least contact the owner of that node so that he could
take proper corrective actions.
Usually, the tunnel interface does not decapsulate nested IPIP, at least
not on Linux, since it would need to be routed to a tunnel endpoint for
this to happen.
Marius, YO2LOJ
On 2016-10-12 04:38, lleachii--- via 44Net wrote:
> (Please trim inclusions from previous messages)
> _______________________________________________
> All,
>
> FYI, I have recorded NetFlow on my tunl0 interface that appears to be
> NESTED IPENENCAP packets. I have also seen these previously.
>
> This is similar to a vector I described in my 20AUG remarks in
> "Security/Wiki Question - Requesting a Block."
>
> Because the source and destination IP addresses recorded could be
> spoofed (or the result of a misconfigured AMPR router), I do not want
> to alarm anyone by giving the specific address. I will note the
> packets contained the source address of an AMPR node and the
> destination of AMPRGW (i.e. another nested packet or a packet that
> would be de-encapsulated by AMPRGW); and were recorded over 60 seconds
> in a window of 24 hours. I have added the following rule to my
> firewall, to appear in iptables before my bogons:
>
> # THIS PREVENTS NESTED IPENCAP
> iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
>
> To add: a source IP iptables rule (based on BCP 38) had prevented
> these packets from forwarding.
>
>
> 73,
>
>
> - Lynwood
> KB3VWG
>
>
> /"//Archives of security comments in this forum from others suggest
> proper firewalling is necessary in environments running
> IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of
> NAT/masquerade co-existing in some AMPRNet nodes..."/
>
>