nanog mailing list archives

Re: RFC 1918

From: woods () weird com (Greg A. Woods)
Date: Mon, 17 Jul 2000 00:18:08 -0400 (EDT)


[ On Sunday, July 16, 2000 at 16:58:52 (-0700), Bohdan Tashchuk wrote: ]

Subject: Re: RFC 1918 

Line #2 allows relatively benign incoming ICMP, such as "fragmentation
needed", but hopefully blocks the more problematic stuff.


That might be just fine for *you* and anyone *exactly* like you who will
*never* use RFC1918 addresses internally yourself.  However *everyone*
who does use such addresses cannot even allow "harmless ICMP" through as
it can suddenly be *far* from harmless.

It really really really really is best for *everyone* if *all* RFC1918
addresses, src or dst, *always* gets filtered everywhere possible.  The
more redundancy here then the better everyone is protected against both
their own mistakes as well as those of others.  Even better of course is
full ingres/egress filtering of spoofed addresses, which of course will
obviously block RFC1918 packets along with all other illegal packets.

Once you go beyond merely protecting everyone from their mistakes and
those of others and you add in the potential malicious uses of such
illegal packets (both RFC1918, as well as otherwise spoofed packets),
well then the argument becomes overwhelming in favour of full filtering
everywhere possbile.

Of course I never send packets to the Internet with an RFC1918 address in
them.


Exactly, and so long as anyone who does use such numbers internally is
always 100% absolutely perfect in configuring their routers then there's
no reason *not* to filter RFC1918 addresses everywhere else to prevent
the malicious uses!  ;-)

Furthermore anyone "accidentally" using any addresses not explicitly
assigned to them in publicly accessible places will more quickly learn
the error of their ways if all such illegal use is blocked, logged, and
reported, at the closest possible point to their borders.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

Re: RFC 1918, (continued)
- - Re: RFC 1918 Todd R. Stroup (Jul 14)
- Re: RFC 1918 Richard A. Steenbergen (Jul 14)
  - Re: RFC 1918 Eric A. Hall (Jul 14)
  - Re: RFC 1918 Rick (Jul 14)
    - Re: RFC 1918 Richard A. Steenbergen (Jul 14)
    - Re: RFC 1918 Dan Hollis (Jul 14)
    - Re: RFC 1918 Greg A. Woods (Jul 16)
  - Re: RFC 1918 Michael Shields (Jul 14)
- RE: RFC 1918 rdobbins (Jul 16)
- Re: RFC 1918 Bohdan Tashchuk (Jul 16)
  - Re: RFC 1918 Greg A. Woods (Jul 16)
  - Re: RFC 1918 John Fraizer (Jul 17)
    - Re: RFC 1918 Stephen Kowalchuk (Jul 17)
    - Re: RFC 1918 ww (Jul 17)
    - Re: RFC 1918 Eric A. Hall (Jul 17)
    - Re: RFC 1918 ww (Jul 17)
    - Re: RFC 1918 Scott McGrath (Jul 18)
    - Re: RFC 1918 Stephen Kowalchuk (Jul 17)
    - Re: RFC 1918 ww (Jul 17)
- Re: RFC 1918 Richard A. Steenbergen (Jul 18)
  - Re: RFC 1918 Eric A. Hall (Jul 18)

(Thread continues...)