As it is probably just a misconfiguration it would be wise to publish the address, or at least contact the owner of that node so that he could take proper corrective actions. Usually, the tunnel interface does not decapsulate nested IPIP, at least not on Linux, since it would need to be routed to a tunnel endpoint for this to happen.
Marius, YO2LOJ
On 2016-10-12 04:38, lleachii--- via 44Net wrote:
(Please trim inclusions from previous messages) _______________________________________________ All,
FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously.
This is similar to a vector I described in my 20AUG remarks in "Security/Wiki Question - Requesting a Block."
Because the source and destination IP addresses recorded could be spoofed (or the result of a misconfigured AMPR router), I do not want to alarm anyone by giving the specific address. I will note the packets contained the source address of an AMPR node and the destination of AMPRGW (i.e. another nested packet or a packet that would be de-encapsulated by AMPRGW); and were recorded over 60 seconds in a window of 24 hours. I have added the following rule to my firewall, to appear in iptables before my bogons:
# THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROPTo add: a source IP iptables rule (based on BCP 38) had prevented these packets from forwarding.
73,
- Lynwood
KB3VWG
/"//Archives of security comments in this forum from others suggest proper firewalling is necessary in environments running IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of NAT/masquerade co-existing in some AMPRNet nodes..."/