9

I have a few questions regarding IPv4 and IPv6 spoofing. Might as well just list them to be concise:

  1. What's the usual routing policy for ISPs' routers in regards to spoofed source addresses? i.e. if an ISP's router manages the 123.123.123.xxx /24 block and a machine sends it a packet claiming to be from 99.99.99.99, does it still route the packet?
  2. Normally packets from within a subnet are translated to an external IP when they pass through a NAT router. Are there any methods that someone might use to forge the internet-side source address when sending a packet through such a router?
  3. Does IPv6 offer any mechanism or changes that mitigate (or perhaps create) such issues?
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • There are alternative routing systems like CJDNS that uses a hash of a cryptographic public key as the IPv6 address. Spoofing then becomes impossible due to the inability to sign / authenticate connections for addresses not under your control. – Natanael May 04 '15 at 23:26

2 Answers2

10

1) There doesn't appear to be a usual policy. Many ISP's do now drop packets with spoofed addresses, but there are still loads that do not.

2) When NAT'ing, a correctly configured router will have a small list of rules which define the IP address which will be attached, so the usual attack is to send from a location where this doesn't happen.

3) One of the reasons for NAT'ing is to allow you to have multiple IP addresses behind the ones you own on the Internet. With IPv6 this may be far less of an issue, so NAT'ing may end up being used less or not at all. You might think this may change the way protection against spoofed addresses would be implemented but it shouldn't - you will still implement rules which say for a router with a network A on one side, any packet with a source address that matches A coming in a different interface should be dropped as a spoof.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Thanks for the response. For question 2 I'm not so much talking about, say, sending a packet from non-existant 192.168.1.234, but rather tricking the NAT router into transmitting a packet to the internet with a fake source IP. Perhapse there's some kind of spoofing trick that involves L2TP or a similar protocol? – Polynomial Oct 12 '11 at 13:34
  • You can set a source IP to anything you like, and as long as it doesn't go through a router set to drop spoofed packets it will go to its destination with a spoofed source address. That's why I just said you need to be able to send from a location which doesn't pass through a well configured router. – Rory Alsop Oct 12 '11 at 13:51
  • Again, I think you've misunderstood. Let's say the router's IP is 33.33.33.33, here's what I mean: http://i53.tinypic.com/rrpmo0.png – Polynomial Oct 12 '11 at 14:30
  • Unfortunately I can't see that pic from work. Let me try to explain - I can build a packet with a source IP 200.200.200.200 on my internal network 192.168.1.x and send it somewhere. If I remove spoof detection on my router it will go out with the 200.200.200.200 source address. A response will fail to get back to me, but that is often the desired result when spoofing IP. – Rory Alsop Oct 12 '11 at 15:15
  • Yeah, the image was pretty much displaying that scenaro. Thanks for the clarification. – Polynomial Oct 13 '11 at 07:37
2

There is a specific IETF RFC that addresses spoofed BGP source prefixes being advertised into a network. For an ISP the default is to trust the other ISP and it is up to your peers to enforce this rigorously and some do not.

https://datatracker.ietf.org/doc/html/draft-jdurand-bgp-security-00#section-4.1.2.2

Community
  • 1
Ansel Gaddy
  • 21
  • 1