Date: Thu, 30 Nov 2000 22:07:05 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: billf@mu.org (Bill Fumerola) Cc: str@giganda.komkon.org (Igor Roshchin), freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports Message-ID: <200012010607.WAA46736@gndrsh.dnsmgr.net> In-Reply-To: <20001130164905.E83422@elvis.mu.org> from Bill Fumerola at "Nov 30, 2000 04:49:05 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Nov 30, 2000 at 10:20:57AM -0800, Rodney W. Grimes wrote:
>
> > No they won't suffer, reserved networks are reserved, blocking them
> > at AS boundaries is a BCP, both source and desitnation address. It
> > does do some funny things to traceroute, but it doesn't effect normal
> > operations:
>
> I wouldn't go as far as BCP.
Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8:
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
should not be forwarded across such links. Routers in networks not
^^^^^^^^^^^^^^^^^^^^^^^
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.
The problem is that the other RFC/BCP's (2827, 3013 in particular) only
talk about ingress filtering on source address, totally ignoreing what
RFC1918 says about these addresses :-(
> See nanog archives.
Can you be more specific?
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012010607.WAA46736>