2 Feb
2016
2 Feb
'16
6:22 p.m.
Rob and Marius,
When considering:
- I did realize other spoofed packets may enter and route. I've been
researching that as well, and have thus far only filtered against
someone spoofing an IP in my subnet ONLY
- I considered that other 44 operators know our Public IP (Rob noted
this), I did not consider them as a part of the assessment, as we MUST
know one another's Public IPs to properly route traffic
- We do not publicize our IPs; but considering it's possible, Marius'
solution is the only reasonable answer for all cases (i.e. to only
accept IPENCAP on the real WAN). Although, afterwhich an operator can
only use 44 addresses routed to the PHY with that Public IP address
- While only accepting 44net traffic on the tunnel could prevent
spoofing to Public addresses, it only prevents spoofing to one another
by trust, and others through the same Security by Obscurity of not
publicizing the Public IP addresses
- Lynwood
KB3VWG