All,
FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously.
This is similar to a vector I described in my 20AUG remarks in "Security/Wiki Question - Requesting a Block."
Because the source and destination IP addresses recorded could be spoofed (or the result of a misconfigured AMPR router), I do not want to alarm anyone by giving the specific address. I will note the packets contained the source address of an AMPR node and the destination of AMPRGW (i.e. another nested packet or a packet that would be de-encapsulated by AMPRGW); and were recorded over 60 seconds in a window of 24 hours. I have added the following rule to my firewall, to appear in iptables before my bogons:
# THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
To add: a source IP iptables rule (based on BCP 38) had prevented these packets from forwarding.
73,
- Lynwood KB3VWG
/"//Archives of security comments in this forum from others suggest proper firewalling is necessary in environments running IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of NAT/masquerade co-existing in some AMPRNet nodes..."/
As it is probably just a misconfiguration it would be wise to publish the address, or at least contact the owner of that node so that he could take proper corrective actions. Usually, the tunnel interface does not decapsulate nested IPIP, at least not on Linux, since it would need to be routed to a tunnel endpoint for this to happen.
Marius, YO2LOJ
On 2016-10-12 04:38, lleachii--- via 44Net wrote:
(Please trim inclusions from previous messages) _______________________________________________ All,
FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously.
This is similar to a vector I described in my 20AUG remarks in "Security/Wiki Question - Requesting a Block."
Because the source and destination IP addresses recorded could be spoofed (or the result of a misconfigured AMPR router), I do not want to alarm anyone by giving the specific address. I will note the packets contained the source address of an AMPR node and the destination of AMPRGW (i.e. another nested packet or a packet that would be de-encapsulated by AMPRGW); and were recorded over 60 seconds in a window of 24 hours. I have added the following rule to my firewall, to appear in iptables before my bogons:
# THIS PREVENTS NESTED IPENCAP iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROPTo add: a source IP iptables rule (based on BCP 38) had prevented these packets from forwarding.
73,
- Lynwood
KB3VWG
/"//Archives of security comments in this forum from others suggest proper firewalling is necessary in environments running IPENCAP-enabled routers, ESPECIALLY BECAUSE of the presence of NAT/masquerade co-existing in some AMPRNet nodes..."/
Rob,
You stated:
"When you are worried about intrusions it is probably more effective to block IPIP packets from sources that are not in the gateway list. I do that as well (via ampr-ripd)."
What command/script do you use to add the endpoints to iptables?
Excerpt of traffic seen on tunl0:
2016-10-10 21:50:00 3314.416 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-10 23:47:41 19457.126 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-11 08:07:18 27766.044 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-11 17:23:19 2017.563 IPIP 213.57.252.71:0 -> 169.228.66.251:0
- Lynwood KB3VWG
Title Haifa Gateway Experimental Routing tests Hostname 4z4zq-cam.no-ip.org Gateway IP 213.57.252.71 Originally added 2015-11-15 19:42:17 Last modified 2015-11-30 08:47:45 Subnet 44.138.1.0/24 Notes
Experimental gateway to start routing from Internet to Packet in Haifa Area
Check with Ronen 4Z4ZQ, he is experimenting with some new routers there...
Marius, YO2LOJ
On 2016-10-12 16:53, lleachii--- via 44Net wrote:
(Please trim inclusions from previous messages) _______________________________________________ Rob,
You stated:
"When you are worried about intrusions it is probably more effective to block IPIP packets from sources that are not in the gateway list. I do that as well (via ampr-ripd)."
What command/script do you use to add the endpoints to iptables?
Excerpt of traffic seen on tunl0:
2016-10-10 21:50:00 3314.416 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-10 23:47:41 19457.126 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-11 08:07:18 27766.044 IPIP 213.57.252.71:0 -> 169.228.66.251:0 2016-10-11 17:23:19 2017.563 IPIP 213.57.252.71:0 -> 169.228.66.251:0
- Lynwood
KB3VWG
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
lleachii@aol.com -
Marius Petrescu