From Slashdot: Comcast goes after NAT users

Jeremy Fowler, CNA jfowler at westrope.com
Fri Jan 25 18:09:39 CST 2002 

Well, its all in how an IP packet is generated. In any network protocol model,
there are multiple layers. In TCP/IP there are specifically four (There are 7
defined in the OSI Model, but TCP/IP combines some of them) application,
transport, network, and datalink. The application layer is what initially
generates the packet and eventually what ends up receiving the packet on the
other side. Next comes the transport layer, this is usually TCP, UDP, or some
other transport protocol that specifies how two PC will communicate. After that
comes the network layer, this is the IP layer and it specifies the IP address of
each PC and specifies how two PC will locate each other. Finally is the data
link layer, this usually is the Ethernet protocol, PPP, or some other hardware
based protocol that allows the physical hardware to communicate with each other.
This is where the MAC address is generated. Every TCP/IP packet on the internet
consist of headers. When a packet traverses the different layers of the model,
each layer tacks on it's own header info to the data segment and then passes it
on to the next layer. When it reaches the data link layer, the packet is
complete and it's sent on it's merry way. Under normal conditions this packet
isn't altered in any way until it reaches it's specified host. Routers,
gateways, bridges, switches, or hubs do not alter the packet in any way.
Instead, they look at the different headers and pass it on.

    Host A    ^                      ^    Host B
[Application] | <------------------> | [Application] SMTP, HTML, DNS
[ Transport ] | <------------------> | [ Transport ] TCP, UDP
[  Network  ] | <------------------> | [  Network  ] IP
[ Data Link ] | <------------------> | [ Data Link ] Ethernet
              |______________________|
                Actual Flow of Data

Example TCPIP Packet:

Application Layer starts with the data:
[        DATA        ]

Transport Layer encapsulates the data and adds it's header:
[ TCP HEADER [        DATA        ]]

Network Layer encapsulates the Transport Layer packet and adds it's own header:
[IP Header (IP Address) [ TCP HEADER [        DATA        ]]]

Finally the Data Link Layer encapsulates the other layers and adds the last
header:
[ Ethernet Header (MAC Address) [IP Header (IP Address) [ TCP HEADER [
DATA        ]]]]

So when the packet is received on the other end, the MAC address IS the address
of the originating device. Not the last router that encountered the packet.

IP Masquerading changes the IP Header information ONLY, not the MAC address.

> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of ndr
> Sent: Friday, January 25, 2002 10:51 AM
> To: Jeremy Fowler, CNA
> Cc: kclug at kclug.org
> Subject: RE: From Slashdot: Comcast goes after NAT users
>
>
>
> Call me ignorant, but I do not see how they would see the MAC addresses of
> the machines behind the NAT. Wouldn't they only see the MAC of the outside
> interface? NAT is supposed to hide all of that information. If the packets
> were sent with the MAC of the internal NICs it would cause confusion on
> the public facing interface and slow things down.
>
> Carnivore is, I believe, an application level sniffer. Monitor SMTP, HTTP,
> etc. streams. It wouldn't be hard to have one that looks at the MAC, but
> to me it would seem utterly useless.
>
> I would imagine that Comcasts intentions are too scare people into
> honesty and get the extra bits of cash squeezed out of them. The only way
> they could catch a NAT is by doing exhaustive traffic analysis at the
> application level or coming to your house and searching your setup. Both
> are too expensive and cumbersome for them to bother.
>
>
> On Fri, 25 Jan 2002, Jeremy Fowler, CNA wrote:
>
> > I doubt they will try to see what types of PC's are behind a firewall. Port
> > scanning is very intrusive. And for the most part, all you would be
> scanning is
> > the NAT device or firewall. What they probably will do is setup some type of
> > packet sniffer device similar to the FBI's carnivore on their network. This
> > device will probably scan for packets that have the same IP address, but
> > different MAC addresses. Since you only use the one IP address
> Comcast gives you
> > with IP Masquerading, they would be able to spot you if you had multiple PCs
> > behind the firewall. I'm sure they will account for people who replace their
> > NICs, and first target the people with the highest count of different MAC
> > addresses. If you just have one PC using a broadband router as a
> firewall, they
> > probably won't bother you since your MAC address will always be the
> same. Then
> > again, I could be wrong. But whatever they do, I'm sure they will
> try to keep it
> > a secret to prevent people from figuring out ways to get around it.
> >
> > One possible workaround is to write a module for iptables that not only
> > masquerades the IP address, but the MAC address as well. Or you
> could move...
> > ;-) Time Warner Cable doesn't have any restrictions that I'm aware
> of... yet.
> >
> > I wonder what would happen if someone were to bring this to court? Maybe
> > something like this will reverse that whole non-compete law and allow cable
> > companies to go at it again. Imagine cable companies offering digital cable
> > channels and faster broadband at competitive prices. ;-)
> >
> > -Jeremy
> >
>
>
>

More information about the Kclug mailing list