nanog mailing list archives

Re: Bogon list

From: Chris Woodfield <rekoil () semihuman com>
Date: Fri, 7 Jun 2002 13:40:17 -0400

Well, the biggest offender in this respect by far was @home, and you know what 
happened to THEM...

-C

On Fri, Jun 07, 2002 at 12:55:08PM -0400, Greg A. Woods wrote:


[ On Friday, June 7, 2002 at 10:26:53 (+0100), Stephen J. Wilcox wrote: ]

Subject: Re: Bogon list

RFC1918 does not break path-mtu, filtering it does tho..


So, in other words inappropriate use of RFC 1918 does not break Path MTU
Discovery!  You can't still have your cake and have eaten it too.  One
way or another RFC 1918 addresses must not be let past the enterprise
boundaries.  Lazy and/or ignorant people don't always meet all the
requirements of RFC 1918, but it's only their lack of compliance that
_may_ allow Path-MTU-discovery to continue working for their networks
for _some_ people _some_ of the time.

However any enterprise also using RFC 1918, but using it correctly (or
customers of such an enterprise), and thus who are also carefully
protecting their use from interference by outside parties, will be
filtering inbound packets with source addresses in the RFC 1918 assigned
networks, and so as a result they _will_ experience Path-MTU-discovery
failure (i.e. at any time it's necessary it literally cannot work) when
attempting to contact (and sometimes be contacted by, depending on the
application protocol in use) any host on or behind the lazy and/or
ignorant operator's network(s).

(and no, I'm not sorry if I've yet again offended anyone who might be
mis-using RFC 1918 addresses for public nodes -- you should all know
better by now!  How many _years_ has it been?)

2) Not believe in filtering RFC1918 sourced traffic at enterprise boundaries
(of which an exchange would be a boundary)


What for? You'll find many more much more mailicious packets coming from
legit routable address space.


If you have any IP address level trust relationsips on your internal
LANs then you _MUST_ (if you want those trust relationships to be valid)
filter all foreign packets with source addresses appearing to be part of
your internal LANs.

For p2p you can use unnumbered.. it wont work on exchanges but i agree
they shouldnt be rfc1918.


On this we can agree!  :-)

-- 
                                                              Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

Attachment: _bin
Description:

Current thread:

RE: Bogon list, (continued)
- - - RE: Bogon list Kurt Erik Lindqvist (Jun 05)
  - Re: Bogon list Rob Thomas (Jun 04)
  - RE: Bogon list Barry Raveendran Greene (Jun 04)
- Re: Bogon list Sean M. Doran (Jun 04)
  - Re: Bogon list Joe Abley (Jun 04)
  - Re: Bogon list Stephen Griffin (Jun 06)
    - Re: Bogon list Richard A Steenbergen (Jun 06)
    - Re: Bogon list John Payne (Jun 06)
    - Re: Bogon list Stephen J. Wilcox (Jun 07)
    - Re: Bogon list Greg A. Woods (Jun 07)
    - Re: Bogon list Chris Woodfield (Jun 07)
    - Re: Bogon list Stephen J. Wilcox (Jun 08)
    - Re: Bogon list Stephen Griffin (Jun 07)
    - Re: Bogon list Greg A. Woods (Jun 07)
    - Message not available
    - Re: Bogon list Daniel Senie (Jun 07)
    - Re: Bogon list Stephen J. Wilcox (Jun 07)
- Re: Bogon list Sean M. Doran (Jun 04)
  - Re: Bogon list David McGaugh (Jun 04)
    - Re: Bogon list David McGaugh (Jun 04)
- Re: Bogon list Sean M. Doran (Jun 04)
- Re: Bogon list Sean M. Doran (Jun 04)

(Thread continues...)