#19 Firewall/address detection uses wrong approach.

[Anonymous]

Summary

The "address verification" method used by konspire2b
doesn't take into account existence of transparent web
caches.

Description

If one has a valid, public IP address (a.b.c.d), but
all his web traffic (port 80, possibly 8000 and others)
is transparently cached by a device with IP address
x.y.z.v, konspire2b incorrectly "corrects" his address
to be the same as the cache's. Obviously, this breaks
things.
Such a situation can be seen for example in cable networks.

Workaround

Temporary workaround would be to run the address
verification server on a different port (not 80). That
traffic should not be captured by the cache and the
original IP address would be seen by the server.

Solution

Use a different method of detecting adress translation.
The simplest method is:
- client checks his own IP address,
- client embeds that IP address in the packet payload,
- NAT device translates address in IP header, but not
the one in payload,
- server can detect that received source IP address is
different than the address in the payload.

Usually embedding IP address breaks applications
(except those explicitely known by the NAT device), but
using it for pure detection is fine.

This check will not detect a firewall that doesn't
perform NAT, but blocks incoming connections anyway.

Contact

Note: I'm not able to do any testing except for
checking if the address detection works ok in the
scenario with a transparent cache. moskit-at-irc-dot-pl