Re: egress/ingress filtering

["Crist Clark" <crist.clark () globalstar com>]

"Irwin R. Naumann" wrote:
> I know that one should do egress/ingress filtering on one's network border(s)
> of the private networks described in RFC1918 (10.0.0.0/8, 172.16.0.0.0/12,
> 192.168.0.0/16) and anti-spoofing of one's own address blocks.
>
> Bill Manning expanded this list to include:
> 0.0.0.0/8
> 127.0.0.0/8
> 192.0.2.0/24
> 169.254.0.0/16
> all D/E space (with a caveat on Class D - multicast address space)
> in http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt.
>
> Is there an RFC or internet draft other than Bill Manning's that documents
> special prefixes?

Not that I am aware, and I have looked. After seeing Victoria Irwin
present on what kind of "reserved" numbers to block, I spoke with her
briefly and neither of us could find any definitive sources.

> Are these ALL the special prefixes?

That is about it. Maybe 14/8, 7/8, and some others. But I don't worry
about it. More on that below.
 
> Why aren't "IANA - Reserved" blocks as found in
> http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
> included in egress/ingress filtering examples?

Because "Reserved" does not mean what you think in all cases. For
example, Ms. Irwin put up a list of "reserved" IP addresses at the
conference. For the conference, she had had to submit her slides
months in advance. I noticed that some of the "reserved" blocks
she mentioned, IIRC 65/8 is an example, were no longer reserved.
In the time since she had completed her slides, that block had
been assigned. In fact, CERT/CC,

  http://www.cert.org/tech_tips/whois_by_ipaddr.html

Has not kept all of their docs up to date. Note the differences 
between it and the ISI URL you give above.

However, I question the value of worrying to much about blocking
reserved addresses. At your border(s) you should, do ingress and 
egress filtering like so,

  (1) Ingress: Do not let anything in that has a source address 
      the same as your internal network.

  (2) Egress: Do not let anything out that does NOT have a source
      address on your internal network.

(Unless you are some kind of service that routes other peoples traffic 
through. You need to pass their traffic in and out too, obviously.)

Worrying much about blocking "reserved" numbers is silly. An attacker 
that tosses reserved numbers your way is making your life easy since
YOU KNOW they are faked. What is difficult and actually impossible
for you to determine without outside help is when valid IP addresses
are being faked. It is just as easy for the attacker to shoot packets 
with this new, valid 65/8 block as the faked source as it is for
him to shoot good ol' 10/8-net sourced ones. If you get the 10-net ones,
you immediately know what is happening. Packets from 65-net are a 
challenge.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards