2011-08-10

RFC3514 firewall?

I have made a test build of the FireBrick with RFC3514 support in it. Firewall rules can test for the evil bit set or unset, and can cause the evil bit to be set on the session so that, for example, NATted sessions can have the evil bit set.

Yes, bit of fun - and I may put in a production release one day (perhaps next April). However, it has been made a semi serious suggestion (Ray Bellis) that this could be done on CGNAT systems allowing both ends to know that they are working via some sort of NAT or otherwise mangling of headers system on the way. The bit gets set on replies on the session as well for this reason.

The concept is that where a device tries IPv4 and IPv6 at the same time, and gets replies, it can tell from the replies that the IPv4 is being mangled and prefer the IPv6 even if apparently slower to reply.

So now, not only do we all know NAT is evil, but we can have the evil bit actually tell us that :-)
at

1 comment:

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Subscribe to: Post Comments (Atom)

Breaking my heart

One of the things I suffer from is tachycardia. My first memory of this was in secondary school, when I got a flat tyre cycling to school an...

  • It's official, ADSL works over wet string
    Broadband services are a wonderful innovation of our time, using multiple frequency  bands  (hence the name) to carry signals over wires (us...
  • Air conditioning at home (planning permission!)
    For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
  • EICAR test QR
    It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...