Security Incidents mailing list archives
Re: Private networks and home.{net|com}
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Thu, 10 Feb 2000 12:35:50 +0100
On Wed, 9 Feb 2000, Rasmus Andersson wrote:
It's perfectly legal (and in many ways good) to use those addresses on link networks, and filtering out ALL traffic from such addresses is a therefore a Bad Idea(tm). In particular, you MUST let ICMP Unreachable - Fragmentation Needed through to not damage path-MTU discovery. IMHO you should let any ICMP Unreachables through as well as Time Exceeded.
I might have a very good reason not to allow any RFC-1918-address originated datagrams from outside: I might be using these addresses myself in my internal network. Why should I allow anyone to spoof internal traffic of any kind? IMHO, it is a Bad Idea(tm) to allow a PRIVATE address to appear in a PUBLIC network! And people who do it are messing things up themselves. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 08)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
- Re: Private networks and home.{net|com} Pavel Kankovsky (Feb 10)
- <Possible follow-ups>
- Re: Private networks and home.{net|com} Andersson, Rasmus (Feb 08)
- Re: Private networks and home.{net|com} Marc Slemko (Feb 09)
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 09)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)