Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Dec 2000 00:31:02 -0600
From:      Bill Fumerola <billf@mu.org>
To:        "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc:        Igor Roshchin <str@giganda.komkon.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Danger Ports
Message-ID:  <20001201003102.I83422@elvis.mu.org>
In-Reply-To: <200012010607.WAA46736@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Thu, Nov 30, 2000 at 10:07:05PM -0800
References:  <20001130164905.E83422@elvis.mu.org> <200012010607.WAA46736@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Nov 30, 2000 at 10:07:05PM -0800, Rodney W. Grimes wrote:

> > I wouldn't go as far as BCP.
> 
> Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8:
> 
>    Because private addresses have no global meaning, routing information
>    about private networks shall not be propagated on inter-enterprise 
>    links, and packets with private source or destination addresses
>                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    should not be forwarded across such links. Routers in networks not
>           ^^^^^^^^^^^^^^^^^^^^^^^
>    using private address space, especially those of Internet service
>    providers, are expected to be configured to reject (filter out)     
>    routing information about private networks. If such a router receives
>    such information the rejection shall not be treated as a routing    
>    protocol error.                                                      

You're mistaking "should" for "must". RFCs are very anal about pointing out
the difference between these words. Noncompliance is different then behavior
deemed suboptimal.

> The problem is that the other RFC/BCP's (2827, 3013 in particular) only
> talk about ingress filtering on source address, totally ignoreing what
> RFC1918 says about these addresses :-(

> > See nanog archives.
> 
> Can you be more specific?

In the interest of ego (and proof that I am consistant if nothing else):
http://www.merit.edu/mail.archives/nanog/msg03756.html
In the interest of completeness:
http://www.merit.edu/mail.archives/nanog/msg03754.html

A search of "RFC1918" revealed these.

-- 
Bill Fumerola - security yahoo         / Yahoo! inc.
              - fumerola@yahoo-inc.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201003102.I83422>