Re: Private networks and home.{net|com}

[raane () WMDATA COM (Andersson, Rasmus)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, there is something you don't completely understand :-)

The private nets are not routed on the Internet. A very good example of
use for that is link networks, just connecting two or more routers.
Besides saving public addresses, it adds some security.

In what way does that "destroy the meaning of the concept"? You cannot
reach that router, and you have no reason for doing that. But that
router can reach you with ICMP messages if need be. Or route your
packets.

This is why you should not filter ALL packets from private nets, you
must let ICMP unreachables and time-exceededs through. Otherwise you
will break Path-MTU-discovery.

regards

Rasmus Andersson

WM-data Security
Löjtnantsgatan 25
Box 27307, 102 54 Stockholm
Tel: 08-459 10 46, 070-535 14 21
Fax: 08-459 10 45
mailto:raane () wmdata com
http://www.sec.wmdata.se

> -----Original Message-----
> From: Etaoin Shrdlu [mailto:shrdlu () PACBELL NET]
> Sent: Tuesday, February 08, 2000 5:52 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Private networks and home.{net|com}
>
>
> So we're looking for a little odd something, and we do a 
> simple traceroute,
> and what do we see? What the heck are those IP addresses at 
> hops 15, 20, and
> 21? I thought that those weren't supposed to be passed, and 
> there are three
> of them in one traceroute. This kind of destroys the meaning 
> of the concept
> of a "private network," especially if insane numbers like 
> these are going to
> show up in routing tables. Am I just not understanding something
> here?  
>
> <SNIP>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOKAWeTwhv8twZQJiEQKUdgCeIEgXhqqbp1pQJgRgpX6YS4L8YOAAoPxe
dscdKSHSXk0pP92VgcX1Abnj
=O0+P
-----END PGP SIGNATURE-----