Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing ping/icmp from a network

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 1 Apr 2008 14:13:39 +0200
On 2008-03-29 Michael Painter wrote:

On Friday, March 28, 2008 6:44 AM Ansgar -59cobalt- Wiechers wrote:

On 2008-03-27 Michael Painter wrote:

I'm not sure what 'clean' means, but I'm not supposed to see 10/8
addresses on the "Internet".


You aren't seeing them "on the Internet".


Poor choice of words, maybe?  How about via the Internet?
Anyway, there are (at least) two schools of thought on this, as shown
by this thread from NANOG.

http://www.cctec.com/maillists/nanog/historical/0102/threads.html#00702

[...]

(From RFC 1918)
     Because private addresses have no global meaning, routing
     information about private networks shall not be propagated on
     inter-enterprise links, and packets with private source or
     destination addresses should not be forwarded across such links.
     Routers in networks not using private address space, especially
     those of Internet service providers, are expected to be
     configured to reject (filter out) routing information about
     private networks.


Traceroute results don't qualify as routing information (that would be
BGP, OSPF, or RIP data), and the private addresses only shows up as the
source address of the "time exceeded" packet. You'll note that the RFC
doesn't require, but only recommends not forwarding packets with private
source addresses, so there's no real violation of RFC 1918 here. I'll
agree that it is a bad practice, though.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Previous By Date Next
Previous By Thread Next

Current thread: