OT: Security....

[James Wilkinson]

I wrote:
> In particular, you can't really spoof IP addresses on SSH sessions. The
> server needs to be able to get packets back to the (possibly attacking)
> client, which means the client's IP address must be routable.

Joel wrote:
> Okay, educate me. Why is a spoofed IP address known to be not routable?

Yes, I over-simplified this. I should have said routable back to the
client. Imagine you're sitting in Power Cable, Nebraska, attacking a
computer in Nether Wallop, UK, and spoofing a computer in
Henley-on-Todd, Australia. You send a packet to the UK, which replies to
it. But it sends the reply to Australia: you never see it.

But you need to see data from that packet to be able to continue the
connection.

Hope this helps,

James.

-- 
E-mail address: james | A woodpigeon would, If a woodpigeon could,
@westexe.demon.co.uk  | But a woodpigeon can't, So it won't.
                      | A woodpigeon could, If a woodpigeon would,
                      | But a woodpigeon doesn't want to. So it doesn't.