Firewall Wizards mailing list archives
Re: egress/ingress filtering
From: "Crist Clark" <crist.clark () globalstar com>
Date: Thu, 15 Feb 2001 15:34:34 -0800
"Irwin R. Naumann" wrote:
I know that one should do egress/ingress filtering on one's network border(s) of the private networks described in RFC1918 (10.0.0.0/8, 172.16.0.0.0/12, 192.168.0.0/16) and anti-spoofing of one's own address blocks. Bill Manning expanded this list to include: 0.0.0.0/8 127.0.0.0/8 192.0.2.0/24 169.254.0.0/16 all D/E space (with a caveat on Class D - multicast address space) in http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt. Is there an RFC or internet draft other than Bill Manning's that documents special prefixes?
Not that I am aware, and I have looked. After seeing Victoria Irwin present on what kind of "reserved" numbers to block, I spoke with her briefly and neither of us could find any definitive sources.
Are these ALL the special prefixes?
That is about it. Maybe 14/8, 7/8, and some others. But I don't worry about it. More on that below.
Why aren't "IANA - Reserved" blocks as found in http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space included in egress/ingress filtering examples?
Because "Reserved" does not mean what you think in all cases. For example, Ms. Irwin put up a list of "reserved" IP addresses at the conference. For the conference, she had had to submit her slides months in advance. I noticed that some of the "reserved" blocks she mentioned, IIRC 65/8 is an example, were no longer reserved. In the time since she had completed her slides, that block had been assigned. In fact, CERT/CC, http://www.cert.org/tech_tips/whois_by_ipaddr.html Has not kept all of their docs up to date. Note the differences between it and the ISI URL you give above. However, I question the value of worrying to much about blocking reserved addresses. At your border(s) you should, do ingress and egress filtering like so, (1) Ingress: Do not let anything in that has a source address the same as your internal network. (2) Egress: Do not let anything out that does NOT have a source address on your internal network. (Unless you are some kind of service that routes other peoples traffic through. You need to pass their traffic in and out too, obviously.) Worrying much about blocking "reserved" numbers is silly. An attacker that tosses reserved numbers your way is making your life easy since YOU KNOW they are faked. What is difficult and actually impossible for you to determine without outside help is when valid IP addresses are being faked. It is just as easy for the attacker to shoot packets with this new, valid 65/8 block as the faked source as it is for him to shoot good ol' 10/8-net sourced ones. If you get the 10-net ones, you immediately know what is happening. Packets from 65-net are a challenge. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- egress/ingress filtering Irwin R. Naumann (Feb 15)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- <Possible follow-ups>
- RE: egress/ingress filtering shewitt (Feb 16)
- Re: egress/ingress filtering Bill_Royds (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Ryan Russell (Feb 17)
- Re: egress/ingress filtering Crist Clark (Feb 16)
- Re: egress/ingress filtering Irwin R. Naumann (Feb 16)
- Re: egress/ingress filtering Crist Clark (Feb 16)