From owner-freebsd-security  Thu Nov 30 22: 7:18 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id DFB0837B400
	for <freebsd-security@FreeBSD.ORG>; Thu, 30 Nov 2000 22:07:14 -0800 (PST)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA46736;
	Thu, 30 Nov 2000 22:07:06 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200012010607.WAA46736@gndrsh.dnsmgr.net>
Subject: Re: Danger Ports
In-Reply-To: <20001130164905.E83422@elvis.mu.org> from Bill Fumerola at "Nov 30, 2000 04:49:05 pm"
To: billf@mu.org (Bill Fumerola)
Date: Thu, 30 Nov 2000 22:07:05 -0800 (PST)
Cc: str@giganda.komkon.org (Igor Roshchin),
	freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Thu, Nov 30, 2000 at 10:20:57AM -0800, Rodney W. Grimes wrote:
> 
> > No they won't suffer, reserved networks are reserved, blocking them
> > at AS boundaries is a BCP, both source and desitnation address.  It
> > does do some funny things to traceroute, but it doesn't effect normal
> > operations:
> 
> I wouldn't go as far as BCP.

Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8:

   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise 
   links, and packets with private source or destination addresses
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   should not be forwarded across such links. Routers in networks not
          ^^^^^^^^^^^^^^^^^^^^^^^
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)     
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing    
   protocol error.                                                      


The problem is that the other RFC/BCP's (2827, 3013 in particular) only
talk about ingress filtering on source address, totally ignoreing what
RFC1918 says about these addresses :-(

 
> See nanog archives.

Can you be more specific?

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message