Re: RFC 1918

[John Fraizer <nanog () EnterZone Net>]

On Sun, 16 Jul 2000, Bohdan Tashchuk wrote:

> The relevant snippet of my rules on my ingress filter is:
>       
>       1) ... block bad things such as unused or spoofed addrs ...
>       2) allow icmp from any to any icmptypes 0,3,4,11,12
>       3) deny ip from 10.0.0.0/8 to any
>       4) deny ip from 172.16.0.0/12 to any
>       5) deny ip from 192.168.0.0/16 to any
>       6) allow tcp from any to any 1024-65535 established
>       7) ... some other rules ...
>       8) deny everything else by default
>
> Line #2 allows relatively benign incoming ICMP, such as "fragmentation
> needed", but hopefully blocks the more problematic stuff.
<SNIP>
> If you take it upon yourself to "filter all RFC1918 usage" from the outside
> world, you (and your customers) will suffer for it. Because it seems to be
> established practice out there.


The ruleset you use is great for a leaf-node.  The problem it can
represent on the borders of a larger network is that a lot of nice script
kiddies like to spoof their source as RFC1918 space and since ICMP is 8
times out of 10 their payload, using such on the edges exposes the core
(and potentially some poor customer of yours on a DS1, etc) to whatever
level of hate-and-discontent you're capable of accepting on the borders. 


---
John Fraizer
EnterZone, Inc