Educause Security Discussion mailing list archives
Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide?
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Mon, 30 Apr 2007 11:14:36 -0400
Clifford Collins wrote:
I would rather find a way to actively route all traffic from the unassigned subnets to something I can use to detect the presence of rogue devices.
I earlier wrote "Install a lowest-priority static null route to 10.0.0.0/8 at your core" to discard the rogues.
Looking at it now, that isn't clear. I meant a "lowest-priority static route for 10.0.0.0/8 *to* null". This of
course will only discard packets that have a *destination* on an invalid network. If your core switch/router supports
uRPF, and you have it turned on, this will also discard packets with a *source* on an invalid network.
As for "redirecting" packets sourced from an invalid network, you can do this with some extra trouble with policy
routing, along the lines of:
route-map catch-invalid-sources permit 10
match ip address invalid-nets
set ip next-hop your.tarpit.ip.address
ip access-list standard invalid-nets
deny 10.10.x.x 0.0.255.255 (say that 10.10 is valid)
permit 10.0.0.0 0.255.255.255 (while any other 10. is not)
Policy routing is going to cost you some horsepower. Your mileage may vary.
Jeff
Current thread:
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Buz Dale (Apr 30)
- <Possible follow-ups>
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Glenn Forbes Fleming Larratt (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Valdis Kletnieks (May 01)