[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bridge and features on virtual bridges

To: Hakan Olsson <ho@crt.se>
Subject: Re: bridge and features on virtual bridges
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
Date: Wed, 27 Nov 2002 17:51:50 +0100 (CET)
Cc: "Alexander C.H. Lorenz" <alexander.lorenz@x-warp.net>,<tech@openbsd.org>

On Wed, 27 Nov 2002, Hakan Olsson wrote:

> On 27 Nov 2002, Alexander C.H. Lorenz wrote:
>
> > hey list, hi theo
> >
> > we are develop on an firewall solution.
> > now we have an idea for the brodge interface:
> >
> > we would create the bridge as an more user system.
> > let me explain:
> > when a customer use an openbsd bridge for other customers (A,B,C) is
> > this not a problem, all custumers from him can use the same Internet
> > interface, right?
> > When now the operator will give to customer C another net from ripe, can
> > he use the same bridge at this moment? At the moment not, an brigde isnt
> > an router.
> > okay, this I know, but has anybody at the moment an idea for create this
> > feature? The fw1 cant this ;)
> > We discuss at the moment an mac-nat, is this possible?
>
> Hi,
>
> I'm not at all sure I understand what you are trying to do, but this does
> not sound quite right to me. Ever heard of the term "layering violation"?
> ("mac-nat", huh?)

I think he is referring to the technique invented by Dan "Effugas"
Kaminsky and implementated in his Paketto Keiretsu.

Taken from his website www.doxpara.com:
"Minewt is a minimal "testbed" implementation of a stateful address
translation gateway, rendered so entirely in userspace that not even the
hardware addresses of the gateway correspond to what the kernel is
operating against. Minewt implements what is common referred to as NAT, as
well as a Doxpara-developed technique known as MAT. MAT, or MAC Address
Translation, allows several backend hosts to share the same IP address, by
dropping the static ARP cache and merging Layer 2 information into the NAT
state table. Minewt's ability to manipulate MAC addresses also allows it
to demonstrate Guerilla Multicast, which allows multiple hosts on the same
subnet to receive a unicasted TCP/UDP datastream from the outside world.
Minewt is not a firewall, and should not be treated as such."

The presentation Black Ops of TCP/IP describes the basic ideas:
http://www.doxpara.com/Black_Ops_Hivercon.ppt

Read http://www.doxpara.com/read.php/docs/pk_english.html as well.

Cheers,

Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org

Follow-Ups:
- Re: bridge and features on virtual bridges
  - From: "Alexander C.H. Lorenz" <alexander.lorenz@x-warp.net>

References:
- Re: bridge and features on virtual bridges
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: bridge and features on virtual bridges
Next by Date: Re: bridge and features on virtual bridges
Prev by thread: Re: bridge and features on virtual bridges
Next by thread: Re: bridge and features on virtual bridges
Index(es):
- Date
- Thread