[AusNOG] Firewall authentication from Telstra 3G connections

Andrew Cox andrew.cox at bigair.net.au
Sat Jun 16 01:38:41 EST 2012


*The whole authentication model above is flawed.  A IP address does not and
never has represented a single client.  Le Roi nu.*

Exactly this, along with the fact that a NAT client/office can be load
balanced, passing each new connection out a new gateway (personally I
prefer to preserve the selected route for a src and dst address pairing due
to the crazy notion above being put into practise by others .. the
punkbuster service being a broken example).

- Andrew

On 15 June 2012 13:52, Mark Andrews <marka at isc.org> wrote:

>
> In message <4FDAAD84.8060504 at rendrag.net>, Damien Gardner Jnr writes:
> >
> > On 15/06/2012 12:51 PM, James Sutherland wrote:
> > >
> > > Hi Ausnog,
> > >
> > > In the past couple of weeks we have started seeing issues with
> > > customers connecting to firewall-authentication-protected servers via
> > > Telstra 3G. From any other connection you browse to the gateway, enter
> > > username and password, and the firewall temporarily opens the required
> > > ports just for the IP you connected from. Recently though, from
> > > Telstra 3G connections, it seems that http traffic to the
> > > authentication page is sourced from a different IP to FTP, SSH etc
> > > traffic so the cached authenticated IP doesn't match the traffic's
> > > source IP and is dropped. This has been confirmed with several
> > > different firewalls and customers. Has anyone else seen this or could
> > > shed some light on it?
> >
> > Isn't that standard behaviour with any ISP with a (forced) proxy?  All
> > HTTP requests come from the proxy IP, all other traffic comes from the
> > end user's IP?
>
> And it will become more common with CGNs if they arn't preserving
> <client address,outbound address> tuples mappings.
>
> The whole authentication model above is flawed.  A IP address does
> not and never has represented a single client.  Le Roi nu.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120616/8762c31e/attachment.html>


More information about the AusNOG mailing list