Re: Private networks and home.{net|com}

[raane () WMDATA COM (Rasmus Andersson)]

"Sachs, Marcus" wrote:
> An older router running an older IOS that doesn't know about RFC1918, that
> is passing internal "non-routable" IPs?
>
> ms

Please note that nothing of the following rant is directed at you
personally:

That is a completely irrelevant guess. RFC 1918 networks are not
"non-routable". It's just that you don't route them to/on the Internet.
No router treats that nets in any special way apart from that you should
_configure_ them not to exchange route information about that nets
through your perimeter routers.

It's perfectly legal (and in many ways good) to use those addresses on
link networks, and filtering out ALL traffic from such addresses is a
therefore a Bad Idea(tm). In particular, you MUST let ICMP Unreachable -
Fragmentation Needed through to not damage path-MTU discovery. IMHO you
should let any ICMP Unreachables through as well as Time Exceeded.

There seems to be a growing problem that people are filtering any ICMP
and any RFC-1918 addresses without having enough knowledge on the
implications.

Regards

--
Rasmus Andersson

WM-data Security    http://www.wmdata.se/security
Löjtnantsgatan 25, Box 27307, 102 54 Stockholm
Tel: +46-(0)8-459 10 46, +46-(0)70-535 14 21
Fax: +46-(0)8-459 10 45

raane () wmdata com   PGP Id:70650262