[AusNOG] Firewall authentication from Telstra 3G connections
Mark Andrews
marka at isc.org
Fri Jun 15 13:52:24 EST 2012
In message <4FDAAD84.8060504 at rendrag.net>, Damien Gardner Jnr writes:
>
> On 15/06/2012 12:51 PM, James Sutherland wrote:
> >
> > Hi Ausnog,
> >
> > In the past couple of weeks we have started seeing issues with
> > customers connecting to firewall-authentication-protected servers via
> > Telstra 3G. From any other connection you browse to the gateway, enter
> > username and password, and the firewall temporarily opens the required
> > ports just for the IP you connected from. Recently though, from
> > Telstra 3G connections, it seems that http traffic to the
> > authentication page is sourced from a different IP to FTP, SSH etc
> > traffic so the cached authenticated IP doesn't match the traffic's
> > source IP and is dropped. This has been confirmed with several
> > different firewalls and customers. Has anyone else seen this or could
> > shed some light on it?
>
> Isn't that standard behaviour with any ISP with a (forced) proxy? All
> HTTP requests come from the proxy IP, all other traffic comes from the
> end user's IP?
And it will become more common with CGNs if they arn't preserving
<client address,outbound address> tuples mappings.
The whole authentication model above is flawed. A IP address does
not and never has represented a single client. Le Roi nu.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list