I know I promised not to say too much more on subject however, since I dont have a life I wanted to comment a bit on Maestros response,,,Here goes,,Sorry for the long response, I wanted to break it up a bit and be specific..


YOUR COMMENT:
“This is such a large topic I will only say a few things, first off some protocols are portless and therefore cannot be blocked by ports”

MY RESPONSE:
You are right, not all application use TCP or UDP (protocols 6 and 17) and are associated with a port number. Some applications use other protocol numbers and work on layer 3 of OSI model.
(an example is Cisco’s proprietary IGRP (interior gateway routing protocol/protocol 9), but there are others that are part of the TCP/IP suite..

Let us examine the IP header
Courtesy of RFC 790: (www.ietf.org) This RFC "might have been updated" but the point is same..

ASSIGNED INTERNET PROTOCOL NUMBERS

In IP there is a field called the Protocol field which is an 8 bit field that corresponds to a particular application. The 8 bit gives us 256 different possible protocol numbers that may correspond to an application.

Assigned Internet Protocol Numbers

0 and 255 are reserved,
2,8,21-62,66-68,70,72-75 and 80-254 are unassigned..
1 is ICMP
3 is Gateway-to-Gateway
4 is CMCC Gateway Monitoring Message
5 is ST
6 is TCP
7 is UCL
9 is Secure
10 is BBN RCC Monitoring
11 is NVP
12 is PUP
13 is Pluribus
14 is Telenet
15 is XNET
16 is Chaos
17 is UDP
18 is Multiplexing
19 is DCN
20 is TAC Monitoring
63 is any local network
64 is SATNET and Backroom EXPAK
65 is MIT Subnet Support
69 is SATNET Monitoring
71 is Internet Packet Core Utility
76 is Backroom SATNET Monitoring
78 is WIDEBAND Monitoring
79 is WIDEBAND EXPAK

If any of those protocols/applications other than ICMP, TCP and UDP are turned on TCP/IP stack of Linksys router, then yes there lies a vulnerabilty….


YOUR COMMENT:
“also your IP can be found out even if you are using NAT/PAT its just tricky, sometimes the oringinal packet is just "wrapped" in a new packet and payload inspection can reveal internal architecture”

MY RESPONSE:
If you are referring to the internal private IP that is natted or patted is somehow encapsulated in the data field, then your statement is incorrect. There is no such thing. Translation table remains in the router..You might be referring to VPN here where original IP header is encapsulated and tunneled through, not NAT or PAT,,,


YOUR COMMENT:
“Because NAT/PAT uses original source IP and Port to create routing tables this can make identifing how many hosts are behind the NAT/PATer if traffic can be sniffed at the router (once again this only applies to protocols with ports, for portless prototcols PAT/NAT can be messy)”

MY RESPONSE:
Routing tables have nothing to do with NAT or PAT and have nothing to do with Port numbers.. Routing tables are created by the router through the process of acknowledging its interfaces are in an up state and through running some type of routing protocol (either static or dynamic).


YOUR COMMENT:
“There is also DNS information to be considered as well as router quality and vulnerabilities.”

MY RESPONSE:
You lost me on this one ??????????


YOUR COMMENT:
“Also routers not configured to drop incoming packets from reserved address space are vulnerable to spoofing which can sometimes yield results although it is fairly difficult”

MY RESPONSE:
Yes you are right, this can happen. Vendors of “real” routers can stop this by turning off what they refer to as “IP source route”

YOUR COMMENT:
“Also the MAC address is mapped to an IP using ARP and other tables which can be posioned or manipulated to "steal" or obtain an IP on the internal network(man in tha middle attacks use this frequently)”

MY RESPONSE:
I don’t follow you here either,,,Data link connections are established locally…Any MAC on internal LAN stays within internal LAN. MAC of internal user will never be seen behind a router.

YOUR COMMENT:
“and many devices also allow MAC address cloning (aka they will set themeselves to any MAC you like, so you CANNOT gaurantee uniqueness)”

MY RESPONSE:
I don’t see how cloning a MAC is relevant to discussion of identifying internal PC’s Ip address..especially since internal PCs MAC stays internal and is not revealed to external/outside LAN…


Cheers..