[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bridge and features on virtual bridges

To: Dries Schellekens <gwyllion@ace.ulyssis.org>
Subject: Re: bridge and features on virtual bridges
From: "Alexander C.H. Lorenz" <alexander.lorenz@x-warp.net>
Date: 27 Nov 2002 18:27:47 +0100
Cc: Hakan Olsson <ho@crt.se>, tech@openbsd.org
References: <Pine.LNX.4.33.0211271746030.5068-100000@ace>

On Wed, 2002-11-27 at 17:51, Dries Schellekens wrote:
> On Wed, 27 Nov 2002, Hakan Olsson wrote:
>
> > On 27 Nov 2002, Alexander C.H. Lorenz wrote:
> >
> > > hey list, hi theo
> > >
> > > we are develop on an firewall solution.
> > > now we have an idea for the brodge interface:
> > >
> > > we would create the bridge as an more user system.
> > > let me explain:
> > > when a customer use an openbsd bridge for other customers (A,B,C) is
> > > this not a problem, all custumers from him can use the same Internet
> > > interface, right?
> > > When now the operator will give to customer C another net from ripe,
can
> > > he use the same bridge at this moment? At the moment not, an brigde
isnt
> > > an router.
> > > okay, this I know, but has anybody at the moment an idea for create
this
> > > feature? The fw1 cant this ;)
> > > We discuss at the moment an mac-nat, is this possible?
> >
> > Hi,
> >
> > I'm not at all sure I understand what you are trying to do, but this does
> > not sound quite right to me. Ever heard of the term "layering violation"?
> > ("mac-nat", huh?)
Hi Dries,

yeah, absolutly, thank you for this tip :)

have a great day

cy'a
alex
>
> I think he is referring to the technique invented by Dan "Effugas"
> Kaminsky and implementated in his Paketto Keiretsu.
>
> Taken from his website www.doxpara.com:
> "Minewt is a minimal "testbed" implementation of a stateful address
> translation gateway, rendered so entirely in userspace that not even the
> hardware addresses of the gateway correspond to what the kernel is
> operating against. Minewt implements what is common referred to as NAT, as
> well as a Doxpara-developed technique known as MAT. MAT, or MAC Address
> Translation, allows several backend hosts to share the same IP address, by
> dropping the static ARP cache and merging Layer 2 information into the NAT
> state table. Minewt's ability to manipulate MAC addresses also allows it
> to demonstrate Guerilla Multicast, which allows multiple hosts on the same
> subnet to receive a unicasted TCP/UDP datastream from the outside world.
> Minewt is not a firewall, and should not be treated as such."
>
> The presentation Black Ops of TCP/IP describes the basic ideas:
> http://www.doxpara.com/Black_Ops_Hivercon.ppt
>
> Read http://www.doxpara.com/read.php/docs/pk_english.html as well.
>
>
> Cheers,
>
> Dries
> --
> Dries Schellekens
> email: gwyllion@ulyssis.org
>
--

with best regards
mit freundlichen Gruessen

Alexander C.H. Lorenz
C T O & Security Engineer
x/warp
Algasinger Weg 8
Dorfen, Bavaria, GE 84405

TEL:   +49 8081.957830
FAX:   +49 8081.957832
CELL:    +49.172.3746149 (International)

www.x-warp.net

[demime 0.98d removed an attachment of type application/pgp-signature which had a name of signature.asc]

References:
- Re: bridge and features on virtual bridges
  - From: Dries Schellekens <gwyllion@ace.ulyssis.org>

Prev by Date: Re: bridge and features on virtual bridges
Next by Date: Re: bridge and features on virtual bridges
Prev by thread: Re: bridge and features on virtual bridges
Next by thread: Re: bridge and features on virtual bridges
Index(es):
- Date
- Thread