Security Basics mailing list archives

RE: 192.168.x.x oddities

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Jun 2004 15:26:57 -0700

  There's nothing MAGICALLY unroutable about RFC1918 address blocks.
You're allowed to use them, and route them, within an administrative
perimeter, but should not advertise routing them beyond your
perimeter because they may also be in use within other administrative 
perimeters.  They don't *generally* route across major Internet hubs
because those routers know that they have no way of determining which
administrative perimeter contains the intended destinations.
  This does not prohibit their use as sources, especially for traffic
that does not require a response -- such as, for instance, ICMP
notifications from intermediate routers.  If you allow these addresses
as sources of ICMP-time-exceeded packets, you will often see ISP
backbone routers listed in traceroute steps, instead of just "no answer
this hop".

  In an ideal world, an administrative perimeter boundary separates an
ISP from each and every one of their customers.  This is often implemented
for small numbers of largish business customers.  It is *rarely* 
implemented for massive numbers of residential/SOHO customers!
  By using NAT at the gateway to your ISP, you assert a boundary beyond
which the RFC 1918 addresses on your home LAN cannot be resolved;
they get mapped to the address allocated by your ISP.  Since that latter
address lies in space allocated to/by the ISP, there's no risk in allowing
it to resolve and reach RFC 1918 addresses used by the ISP within its own
network and not located behind another NAT gateway.

  Since you assert a boundary at your NAT box, it would be polite not to
permit outbound traffic bound for RFC 1918 destination addresses, nor need
you accept non-ICMP traffic sourced from such addresses.  (Some ICMP types
could be useful for debugging.)

David Gillett




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

192.168.x.x oddities Jimmy Brokaw (Jun 15)
- Re: 192.168.x.x oddities JGrimshaw (Jun 16)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
  - Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- <Possible follow-ups>
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
  - RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
    - Re: 192.168.x.x oddities steve (Jun 23)
    - RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)