zrm
zrm
You could set aside a range of ports for the default SNAT or MASQUERADE rules, e.g. iptables -t nat -A POSTROUTING -p udp -o external0 -j MASQUERADE --to-ports 49152-65535 iptables...
I have some hope that the new cttimeout code in Linux will eventually allow longer-than-default timeouts for PCP PEER without iptables, but I haven't discovered any way to assign a...
The nature of snow is that you give it a public key hash and it gives you a virtual IP address where you can send packets that go to the...
> the neat trick there is it uses ORCHIDv2 in order to allow the hash of the public key to be the virtual IP(v6) address itself. ORCHID makes me nervous....
Accidental collisions between honest peers are less the issue than that an attacker can generate keys until one of them collides with one of the honest peers. Adding only a...
> In order for an attacker to achieve a 50% probability that two ORCHIDs, somewhere, collide, they'd need to generate 2^48 - 2^40 keys (which is... costly). And it'd be...
> requires generating the public key from that, which is an ECC scalar multiplication Don't think like someone who wants to generate one unpredictable private key. Think like someone who...
> a valid user only needs to compute the hash to verify the public key as part of a handshake, so as long as it's at most equal to the...
I agree that impersonating a _specific_ service appears impractical today, but being able to impersonate a random service is still very bad. If an attacker can steal or profit from...
> Keep in mind - hosts are actively recommended to keep anonymous IDs for initiating connections which drives the service/ORCHID ratio down, most services aren't profitable to impersonate even when...