NAT counting

NAT counting

[Stephen Clark]

Hi all,

Is Linux being fixed to prevent this?


"how to remotely count the number of machines hiding behind a NAT box" 
<http://www.research.att.com/%7Esmb/papers/fnat.pdf> /

Re: NAT counting

[Lamont Granquist]

If anyone is working on fixing this, they'll also need to fix up TCP
timestamps and maybe ISNs as well as IPids.

On Thu, 6 Feb 2003, Stephen Clark wrote:
> Hi all,
>
> Is Linux being fixed to prevent this?
>
>
> "how to remotely count the number of machines hiding behind a NAT box"
> <http://www.research.att.com/%7Esmb/papers/fnat.pdf> /
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
>

Re: NAT counting

[Alan Cox]

On Thu, 2003-02-06 at 18:14, Lamont Granquist wrote:
> If anyone is working on fixing this, they'll also need to fix up TCP
> timestamps and maybe ISNs as well as IPids.

And encrypt all application level traffic very carefully, otherwise things
like web client headers, ftp context and the like will allow people to 
estimate some stuff.

Re: NAT counting

[Helge Hafting]

On Thu, Feb 06, 2003 at 09:46:44AM -0500, Stephen Clark wrote:
> Hi all,
> 
> Is Linux being fixed to prevent this?
> 
> 
> "how to remotely count the number of machines hiding behind a NAT box" 
> <http://www.research.att.com/%7Esmb/papers/fnat.pdf> /
> 
Not a problem.  The purpose of NAT isn't to "hide" stuff, but
to share an ipv4 address.  If you need more than that, let a
firewall mangle your packets in interesting ways.
You can probably do that with linux if you really want to...

Helge Hafting

Re: NAT counting

[Lamont Granquist]

On Fri, 7 Feb 2003, Helge Hafting wrote:
> On Thu, Feb 06, 2003 at 09:46:44AM -0500, Stephen Clark wrote:
> > Hi all,
> >
> > Is Linux being fixed to prevent this?
> >
> >
> > "how to remotely count the number of machines hiding behind a NAT box"
> > <http://www.research.att.com/%7Esmb/papers/fnat.pdf> /
> >
> Not a problem.  The purpose of NAT isn't to "hide" stuff, but
> to share an ipv4 address.  If you need more than that, let a
> firewall mangle your packets in interesting ways.
> You can probably do that with linux if you really want to...

NAT should work correctly though.  It'd be nice if it didn't violate RFC
1323 by having non-monotonically increasing TCP timestamps for machines
that it is NAT'ing.  The RFC 1323 violations are proably just as useful as
the IPid field for this "NAT counting" *and* they can break things in
certain situations (e.g. receiving a SYN to a TIME_WAIT socket with a
smaller TCP timestamp).  I wouldn't mind at all if someone tried to fix
iptables so that it would do all the proper header munging to hide the
fact that there were multiple machines behind it (obviously this would be
slower, so it'd need to be an option that wasn't on by default...)