nanog mailing list archives

Re: address spoofing

From: woods () most weird com (Greg A. Woods)
Date: Sat, 24 Apr 1999 13:01:48 -0400 (EDT)


[ On Friday, April 23, 1999 at 21:25:29 (-0500), Phil Howard wrote: ]

Subject: Re: address spoofing

So are you making a case to allow RFC1918 source addresses out into the
network?


Huh?  No, I thought I was saying very much the opposite!  I don't want
my upstream provider to use RFC1918 on inter-router links, but they do
anyway.  I'd like them to filter those addresses too, but they won't.

How do you hide an IP network?


If you do all your internal routing over ATM or FR virtual circuits then
you won't need to (and in fact cannot) use IP numbers for those circuits
-- it all looks like the physical layer from IP's perspective (the
theory being that if you don't need IPs for inter-router links then you
won't be using precious unique IPs and feel the pressure to use RFC1918
numbers instead).  I'm certainly no expert at this, but from the outside
I've seen it done quite successfully.  It sure cuts down on the hop
count visible from traceroute too!

It's damn near impossible to debug from the outside, of course, but
sometimes that's desirable!  ;-)

If you're proposing another set of addresses be reserved for uses like
this, then I'd be in favor of it with you.  Using RFC1918 is certainly
not the best way to do this, but using allocated space is no better as
long as allocations are tight.


Using any other set of reserved addresses would have exactly the same
problem as using RFC1918 addresses has.  The only two viable options are
to either use globally unique addresses, or not to use any IP routing
internally at all.

People don't know how to separate their internet DNS from intranet DNS.
Or maybe they don't want to put the money into that kind of structure.
If BIND could be modified to deliver different results depending on the
source of the request, or it's interface, then it might become easy for
people to setup DNS to avoid this.


Yes, it can be done, but even I am not yet using the latest software,
which makes this much easier, on all the machines I manage.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

Re: address spoofing, (continued)
- - - Re: address spoofing Phillip Vandry (Apr 23)
    - Re: address spoofing Greg A. Woods (Apr 23)
    - Re: address spoofing Phil Howard (Apr 23)
    - Re: address spoofing Bryan Bradsby (Apr 23)
    - Re: address spoofing Phil Howard (Apr 23)
    - Re: address spoofing Andrew Brown (Apr 23)
    - Re: address spoofing Phil Howard (Apr 25)
    - Re: address spoofing sthaug (Apr 25)
    - Re: address spoofing Andrew Brown (Apr 25)
    - RE: address spoofing Roeland M.J. Meyer (Apr 26)
    - Re: address spoofing Greg A. Woods (Apr 24)
    - Re: address spoofing Phil Howard (Apr 25)
    - Re: address spoofing alex (Apr 25)
    - Re: address spoofing Phil Howard (Apr 25)
    - Re: address spoofing Daniel Senie (Apr 25)
    - Re: address spoofing Phil Howard (Apr 25)
    - Re: address spoofing Greg A. Woods (Apr 25)
- Re: address spoofing Daniel Senie (Apr 22)
  - Re: address spoofing bmanning (Apr 22)
- Re: address spoofing Danny McPherson (Apr 22)
- Re: address spoofing Sean Donelan (Apr 22)

(Thread continues...)