Joseph Mack wrote:
>
> just saw this on /.
>
> it's a scheme to be able to access machines that don't
> have a unique IP because they are being NAT'ed.
>
> http://www.cs.cmu.edu/~eugeneng/research/aves/
Shudder!! Ugly as night can only be :)
Read section 5.2 of the pdf documentation available at:
http://www.cs.cmu.edu/~eugeneng/papers/aves-paper.pdf
Maybe he should also check out the netfilter code which
can to source and destination NAPT (Network Address and
Port Translation).
The ugliest part is the opening of the raw NETLINK_FIREWALL
netlink socket and the usage of the slow ipfw. Everything
is implemented with one select. It's not scalable, highly
insecure, extremely slow and plain ugly. What comes in mind
here, are divert sockets, which he could have used instead.
And a yet bigger problem: the firewall code behaves differently.
Not all protocols work (AH for example, although he proposed a
way of doing it), spoofing is easy.
Read 6.2 about a very short and little summary of him about
the security implications. It's ok for people that don't know
how to setup a packetfilter with portforwarding.
:) But I like the idea.
Have phun,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|