Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Dec 2000 09:54:12 +0200 (IST)
From:      Roman Shterenzon <roman@xpert.com>
To:        Bill Fumerola <billf@mu.org>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: Danger Ports
Message-ID:  <Pine.LNX.4.30.0012070942170.7070-100000@jamus.xpert.com>
In-Reply-To: <20001201003102.I83422@elvis.mu.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Dec 2000, Bill Fumerola wrote:

> On Thu, Nov 30, 2000 at 10:07:05PM -0800, Rodney W. Grimes wrote:
>
> > > I wouldn't go as far as BCP.
> >
> > Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8:
> >
> >    Because private addresses have no global meaning, routing information
> >    about private networks shall not be propagated on inter-enterprise
> >    links, and packets with private source or destination addresses
> >                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    should not be forwarded across such links. Routers in networks not
> >           ^^^^^^^^^^^^^^^^^^^^^^^
> >    using private address space, especially those of Internet service
> >    providers, are expected to be configured to reject (filter out)
> >    routing information about private networks. If such a router receives
> >    such information the rejection shall not be treated as a routing
> >    protocol error.
>
> You're mistaking "should" for "must". RFCs are very anal about pointing out
> the difference between these words. Noncompliance is different then behavior
> deemed suboptimal.
>
> > The problem is that the other RFC/BCP's (2827, 3013 in particular) only
> > talk about ingress filtering on source address, totally ignoreing what
> > RFC1918 says about these addresses :-(
>
> > > See nanog archives.
> >
> > Can you be more specific?
>
> In the interest of ego (and proof that I am consistant if nothing else):
> http://www.merit.edu/mail.archives/nanog/msg03756.html
> In the interest of completeness:
> http://www.merit.edu/mail.archives/nanog/msg03754.html
>
> A search of "RFC1918" revealed these.

A question here is if we all agree that using private addresses and
"unassigned" router interfaces is a bad practice and should be avoided?
Another question is what are the benefits and misgivings of filtering
private ip originated traffic (keeping in mind that it might get dropped
even before it reaches your routers).

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0012070942170.7070-100000>