Skip The IP Address

j0hnyb1423 writes "Have you ever wanted to be able to connect to that stackless Snort or Hogwash box without walking over to it and plugging in a monitor and keyboard? Well, at last here's your answer - noiptun. Yes, it requires an IP stack to be compiled into the kernel but no IP addresses necessary on the real interface(s). And if stealth IDS setups aren't your bag, then you can at least use it to browse /. without having an IP bound to your linux workstation."

Is it just me..

[mivok]

or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place? Whats to stop an attacker connecting through the tunnel to the noip'd box?

Re:Is it just me..

[Spoing]

1. or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place? Whats to stop an attacker connecting through the tunnel to the noip'd box?

It's an encrypted, secure, service. Says so on the first page.

Re:Is it just me..

[Spoing]

Before someone makes a comment on "how do you know it's secure" I don't. I'm just relaying what shows up on the link within the first couple paragraphs.

Re:Is it just me..

[Spoing]

Nevermind. I'm a moron.

Re:Is it just me..

[Anonymous Coward]

Nevermind. I'm a moron.

How do you know?

Re:Is it just me..

[hbackert]

Whats to stop an attacker connecting through the tunnel to the noip'd box?

The box itself will stop such traffic (only if it's a known exploit though). The bad traffic usually comes from outside. The management and this tunnel is supposed to connect from the internal network. The problem with such bridging boxes is, they either don't have an IP address and are only administratable via the console or configurable via booting/floppy/CD, or they have another interface with a secure network to administer. Switches usually have a dedicated network for their administration. In the latter case, the box has an IP address. In all cases, administration is not supposed to be done via an in-band network connection.

The whole point of this noiptun is to get rid of this extra interface which is usually needed to do some kind of administration.

Re:Is it just me..

[mivok]

Ah.. I was under the impression that this would allow you to connect to a box that just listens on the network and acts as a logging machine, which would have just one interface without an ip address, and a console connection for administration - the benefit of not having an ip is there is no way for an attacker to connect remotely and modify the logs.

But I can see the use now.. methinks I may need to reread the article

Re:Is it just me..

[SlashSpam]

From the README [sourceforge.net] of Noiptun:

If you've been paying careful attention you will have noticed that there has been no mention of any mechanism to prevent the traffic from continuing on to its intended destination, i.e. the IP address the server was using to route the traffic to the client machine. The answer is that noiptun has no way to handle this issue and it must be dealt with through other means if deemed important enough. Some of the ways this can be solved is by creating an appopriate Hogwash or inlin

Re:Is it just me..

[Anonymous Coward]

Is it just me.. or does this sort of defeat the whole point of having a box that you can't connect to over the network in the first place?

I agree, but for a different reason. This box has an IP address. It uses one, so it has an IP address. Any other definition is pointless. What it doesn't have is an IP stack, which the story gets right. Only the title says it has no IP address.

Re:Is it just me..

[Random832]

Noiptun is a client-server based application that allows secure communication with computers that do not have an IP address.

the story itself also says that an ip _stack_ is required, but no _address_... you are the one who has it backwards

Your computer....

[Anonymous Coward]

is NOT broadcasting an IP address. You're safe, please move along.

Ummm.... VLANS...

[MegaHamsterX]

I haven't has a problem with VLANS in linux.
Since all the addresses on the internal VLAN are non-routable you'd need a box with an external public ip address with one of the VLANS built to it from the switch as well as the internal VLAN to make a compromise, this should never happen.

This seems kinda like a rigged situation, if you have an IDS you probably also have switches which support VLANS.

Re:Ummm.... VLANS...

[quantum bit]

...or just inject some 802.1q tagged packets with the VLAN number set to whatever you want.

It's backwards client server

[Animats]

That's an amusing approach.

The author must be a X-windows fanatic. He uses the terms "client" and "server" backwards. The end that sits there passively waiting for someone to connect is called the "client", and the end you run when you want to talk is called the "server".

Note that the "client" opens an Ethernet interface in promiscuous mode, so if you put this on a machine on a busy network, it's going to spend most of its time discarding packets.

Send this guy a roll of duct tape.

Re:It's backwards client server

[j0hnyb1423]

the machine running the client is usually assumed to be running on a bridge interface with no IP of its own. As such it won't be discarding any packets. As far as the naming scheme for client/server, there is actually a good reason why the IP-less side is running the client while the end connecting to it is called the server. When the project began, the idea was to be able to use one "server" to connect to many clients, this functionality isn't currently there and there is at the moment only a one-to-one possible relationship, but the naming scheme makes sense viewed from that angle.

Re:It's backwards client server

[ivan256]

What?

The end that sits there passively waiting for someone to connect is called the "client", and the end you run when you want to talk is called the "server".

That's not how X works, nor is the terminology backwards. In X, the resource that's being served is the terminal (the display and input devices). The server sits around waiting for the clients (applications) to connect to it.

The problem is that you think server means remote and client means local, and that's just wrong; it's actually about who is providing resources and who is consuming them.

arp -s anybody?

[teqo]

Uhmm... I might be wrong, but what about using the arp command option -s to permanently attach an ARP address to some (made up) IP address? In effect, this allows for reaching that host without specific IP address as well...

What does noiptun add in functionality to this, what have I missed?

Re:arp -s anybody?

[j0hnyb1423]

apr -s is another way to go, what noiptun provides however is the ability to connect to boxes across the internet, not just on the local network. Plus it can encrypt the traffic, so it gives arguably more security.

Re:arp -s anybody?

[teqo]

Re-reading the documents available on the noiptun site, it seems that you need some kind of IP-addressable machine that works as a proxy to reach the actual noiptun'ed box bearing no IP address, in case you want to connect from outside the same network segment (speaking of layer 2 here), because ARP will not be routed... If I understood this correct, this in fact is nothing a permanent arp'ing machine couldn't do, maybe it would feel a bit less convenient when using arp -s proxies, though. Which is not the

Re:arp -s anybody?

[j0hnyb1423]

I think my previous response gave the impression that noiptun and arp -s are in fact functionally similar. In fact, arp -s will NOT let you connect to a machine without an IP address. It will let you send packets to it, but the machine will not process them since the IP you're sending the packets to does not exist there.

Oh great!

[Skapare]

Oh great! Now I won't be able to track down what open relay was used to send me spam.