Security Basics mailing list archives
RE: 192.168.x.x oddities
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Jun 2004 15:26:57 -0700
There's nothing MAGICALLY unroutable about RFC1918 address blocks. You're allowed to use them, and route them, within an administrative perimeter, but should not advertise routing them beyond your perimeter because they may also be in use within other administrative perimeters. They don't *generally* route across major Internet hubs because those routers know that they have no way of determining which administrative perimeter contains the intended destinations. This does not prohibit their use as sources, especially for traffic that does not require a response -- such as, for instance, ICMP notifications from intermediate routers. If you allow these addresses as sources of ICMP-time-exceeded packets, you will often see ISP backbone routers listed in traceroute steps, instead of just "no answer this hop". In an ideal world, an administrative perimeter boundary separates an ISP from each and every one of their customers. This is often implemented for small numbers of largish business customers. It is *rarely* implemented for massive numbers of residential/SOHO customers! By using NAT at the gateway to your ISP, you assert a boundary beyond which the RFC 1918 addresses on your home LAN cannot be resolved; they get mapped to the address allocated by your ISP. Since that latter address lies in space allocated to/by the ISP, there's no risk in allowing it to resolve and reach RFC 1918 addresses used by the ISP within its own network and not located behind another NAT gateway. Since you assert a boundary at your NAT box, it would be polite not to permit outbound traffic bound for RFC 1918 destination addresses, nor need you accept non-ICMP traffic sourced from such addresses. (Some ICMP types could be useful for debugging.) David Gillett --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- 192.168.x.x oddities Jimmy Brokaw (Jun 15)
- Re: 192.168.x.x oddities JGrimshaw (Jun 16)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
- Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- <Possible follow-ups>
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- Re: 192.168.x.x oddities steve (Jun 23)
- RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)