Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
be prepared for the german law for big WLAN hot spots
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Thu Apr 23, 2015 11:55 am    Post subject: Reply with quote

krinn wrote:
How can it works with a NAT?
From my knowledge if my IP is 3.3.3.3 and this host (mac 4.4.4.4) send something to someone, it would send it back to my IP with my mac in it, allowing the router to know even it's for 3.3.3.3 the reply is for the host with the mac 4.4.4.4 and not some other random hosts.

So if the router cannot match the mac return value, it may drop the reply or give it to the host that is dmz no?
I don't have any ipv6 router to see how this work, but do ipv6 packets aren't made with the mac inside them too?


Sorry, I was talking about http://tools.ietf.org/html/rfc5902 which discusses the possibility of NAT for IPv6.
There is also NAT64 - http://en.wikipedia.org/wiki/NAT64
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Thu Apr 23, 2015 12:04 pm    Post subject: Reply with quote

Disappointed a bit, using ipv4 looks a better bet (as it is more common than ipv6, and more common mean higher anon).
Thanks for the info UberLord
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Apr 23, 2015 9:18 pm    Post subject: Reply with quote

Krinn, server doesn't have to know your MAC for any NAT to work. It's NAT that does all the Network Address Translator work.
It maps active connection from internal network (IP:port pairs) to external addresses (NAT's own IP:port) and replaces them in headers on the fly (along with CRC)
There are many modes of NAT which makes it hard to describe how exactly it works. Some modes (symmetric) are more annoying than others (full cone) though. For example symmetric can't be pierced with assistance from STUN because they will be mapped differently.

What might be worth noting, when you specify a gateway in your routing table, say:
route add XXX default gw YYY

what you tell your system is: do not ask XXX for it's MAC address. Ask YYY for it's MAC and send packet addressed to XXX with XXX's IP and YYY's MAC.
After translation NAT looks like the source so incoming traffic will be addressed with NAT's external IP and external MAC. NAT maintains a list of active connetions and again replaces heades and forwards traffic.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Fri Apr 24, 2015 8:17 am    Post subject: Reply with quote

krinn wrote:
Disappointed a bit, using ipv4 looks a better bet (as it is more common than ipv6, and more common mean higher anon).
Thanks for the info UberLord


Why is IPv4 a better bet?
https://trac.torproject.org/projects/tor/wiki/doc/IPv6RelayHowto

You've also missing one very importing point - games, especially P2P games!
A lot of games don't work well via NAT and require you to run uPnP on the firewall which IMHO is a security risk by itself.
This also means that only one host behind the NAT can play the game.

Because IPv6 is end to end games no longer have to have nasty code to get working connectivity.

TLDR; you can make IPv6 just as anonymous as IPv4
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Fri Apr 24, 2015 10:58 am    Post subject: Reply with quote

UberLord:
If you cannot manage to hide informations, then it's a better bet that the information seen is the most common, hiding yourself in the mass. Like your browser example, if you cannot hide your browser infos, then make sure your browser answer the name of the most common browser as it will make it harder to track yourself out of the mass.
Because of the limited range of IP from ipv4 class, and people habit with them, using yourself a class A or C should make it harder to track you. While of course the ipv6 should gave a perfect answer.

Oh and i see the point that i forgot with nat, even behind a nat, if this nat is part of the network, anyone can query arp and get your hw mac from it (as i don't think any nat exists that randomize/anon hw mac on arp queries ; at least mine doesn't) as the layer use in the network is 802.11 or 802.3 for the classic ones and not tcp.
And the problem with wireless is that you aren't joining an host from your external ip, but going to be part of its network, making hard to hide something to it.
Now i get really toralf concern about anon its mac.

Now the question is: if you join someone network with ipv6 trick you have in dhcpcd6, does the mac address is really taken from your stateful ipv6 given to the host or does the host query arp to get it (or read it in the ether header)? At least for ipv4 you cannot get it from the ip, so you must get it from arp, it would mean an ipv6 router may take the mac from the ipv6 address only and as such will use your fake mac build in your ip, but it would mean if someone do any ipv4 query in it, that router would be unable to find who is really behind that mac address, and making ipv4 fails.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Apr 24, 2015 4:18 pm    Post subject: Reply with quote

Quote:
even behind a nat, if this nat is part of the network, anyone can query arp and get your hw mac from it (as i don't think any nat exists that randomize/anon hw mac on arp queries ; at least mine doesn't)
why would it use random values? This is how traffic is directed through a switched network, it can't be random and still work.
In local (switched) network all traffic is being delivered based on MAC addresses. In routed network it's delivered based on IP. One your packet reaches router, source MAC address is replaced with router's external MAC and destination MAC (router's internal MAC) replaced with next-hop's MAC.
So, if you checked MAC adresses inside your local network, then you can see all MACs. Because there is no router in your way, even if that's how you call the box you plug all wires into. Router is being sidestepped, it's only a switch until you send your traffic out.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Fri Apr 24, 2015 7:58 pm    Post subject: Reply with quote

Sorry this is not how it works on my side: if any host wish speak with another host, it do an arp query and this is my router who answer to it, not my hosts. It looks like any answer would be taken as "truth" and hostA querying hostB for its mac will be handled and answered by my router. And hostA see no problem that it isn't hostB who answer it.
So it is not sidestepped but an active device.
ps: and i don't think i have a kick ass router :)
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Sat Apr 25, 2015 12:55 pm    Post subject: Reply with quote

krinn wrote:
hostA see no problem that it isn't hostB who answer it.

Precisely: because it never knew about the internal MAC at all; it only answered the translated packet.

As for queries, I don't think that applies so much to established connections as to ports you have open in the firewall, in which case you're in another territory altogether (port-forwarding).

The point here is that the client host can select the MAC component (EUI64?), specific to the network it's on, instead of the router doing it.

That doesn't make it insecure because it's based on pseudo-random cryptography (so not leaking internal configuration), and can be changed at any point.

Though I agree a client doesn't need to preserve it across reboots, so there would be value in defaulting to flush at reboot, unless configured otherwise for server-usage, and allowing it to timeout with the dhcp lease etc. Though I imagine that happens already, it would be cool to have it change on a connection basis too (where a known-host is not required.)

No idea how much code that would take; can't think it'd be too much, but I'm not volunteering.

What about you? Patch/test/repeat-til-dead.. ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum