Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: "Michael Painter" <tvhawaii () shaka com>
Date: Sat, 29 Mar 2008 15:32:32 -1000
----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" Sent: Friday, March 28, 2008 6:44 AM
On 2008-03-27 Michael Painter wrote:I'm not sure what 'clean' means, but I'm not supposed to see 10/8 addresses on the "Internet".You aren't seeing them "on the Internet".
Aloha Ansgar Poor choice of words, maybe? How about via the Internet? Anyway, there are (at least) two schools of thought on this, as shown by this thread from NANOG. http://www.cctec.com/maillists/nanog/historical/0102/threads.html#00702 I've excised a couple, posted below. --Michael ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From RFC 1918) Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks.
> > > There are good reasons to want to get those packets (traceroutes from > > > people who have numbered their networks in rfc1918 networks,> > No John, there are exactly zero reasons, good or otherwise, for allowing> any traffic with RFC-1918 source addresses to traverse any part of the > public Internet. Period! :-) You are being religious, and I shall not descend into this sort of discussion with you. It is simply non productive nor professional.
OK, sorry, let me qualify that: No John, there are exactly zero TECHNICAL reasons, good or otherwise, for allowing any traffic with RFC-1918 source addresses to traverse any part of the public Internet. Period! :-)
I disagree, and believe that other reasonable people do so as well, and there is therefore argument over this issue. People should not assert canonicity upon it. End of story.
In all of the past discussions on this issue there have never been any presentations of technical reasons for allowing RFC-1918 addresses (in either the source *or* destination fields) to traverse the public Internet. (At least none have been presented while I've been watching, not anywhere.) Yes those who have the misunderstanding that they can use such addresses are going to fail to filter them lest they block their own uses, but that's circular reasoning, even if it is technically correct within the microcosms of those people's own minds. However in public there is no possible valid technical argument, by mere definition of the way RFC-1918 defines the fact that such addresses are solely for PRIVATE use, and private use ONLY. Unfortunately RFC-1918 is not also a STD-* document, but even as it is just a Best Current Practice, it can only ever really succeed even as a BCP if everyone co-operates completely, and since people are eager to use PRIVATE addresses that pretty much forces the rest of you to co-operate since we're going to filter the heck out of your "mis-uses". RFC-1918 also clearly suggests that non-unique PRIVATE addresses are really only useful where external connectivity is not used -- i.e. for private networks that are never in any way connected to the public Internet. I.e. use of private addresses on public devices, with or without filtering at network borders, is still "wrong". One might even go so far as to argue that use of PRIVATE addresses behind a proper NAT is similarly "wrong", though of course with a proper NAT you'd never know! :-) Note that any part of the Internet which joins any two independently controlled and operated nodes is, by definition, public. That means that even an ISP with just direct customers must still never allow RFC-1918 addresses to appear at either their customer sites, or on their back-haul(s) to the rest of the Internet. Their customers have just as much right to make private use of RFC-1918 addresses as does any other participant on the public Internet. Any use by any ISP of any RFC-1918 addressing violates that right. The only other technical option is to forget about allocating private address space, deprecate RFC-1918, and open up the address space to full and proper routing. Though I do find private address space handy, I wouldn't mind making all that space publicly available too. So, do we want RFC-1918 promoted to a full standard, or deleted? You choose. ------------------------------------------------------------ RFC1918 addreses cause real problems. They are not supposed to be used. It cannot be made much clearer than that. Choosing to ignore the wishes of the rest of the Internet community in order to make your own life a little bit easier is not a question of free will, it is a matter of selfishishness. Furthermore, if you claim that you have the right to violate spirit and intent of Internet BCPs then I certainly have the right to complain about it without being labelled as psycho/paranoid/nazi. Thanks -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Source host | Router (206.126.0.5) | Router (66.135.224.201) | : : | Router (63.237.224.30) | <-- packet entering Microsoft's networkRouter (207.46.36.249) |: : | Router (207.46.34.38) <-- Router doing NAT | <-- packet entering private network Router (10.22.0.26) | : : | Destination host Traceroute reports the IP addresses of the "en-route" hosts the packets traverse. That may include private IP addresses. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Removing ping/icmp from a network, (continued)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Removing ping/icmp from a network Craig Wright (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Mark Owen (Mar 27)
- R: Removing ping/icmp from a network Vega - Brunello Ivan (Mar 27)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Michael Painter (Mar 27)
- Re: Removing ping/icmp from a network Razi Shaban (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Removing ping/icmp from a network Adewale, Akin (IT Services - Infosec Team) (Mar 28)
- RE: Removing ping/icmp from a network Craig Wright (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Jason (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 31)
- Re: Removing ping/icmp from a network Jon R. Kibler (Mar 26)