From owner-freebsd-security  Thu Nov 30 22:58:33 2000
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP id DD97737B400
	for <freebsd-security@freebsd.org>; Thu, 30 Nov 2000 22:58:27 -0800 (PST)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 141kBo-0000BI-00; Fri, 01 Dec 2000 00:01:00 -0700
Message-ID: <3A274CAC.840ADD9C@softweyr.com>
Date: Fri, 01 Dec 2000 00:01:00 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Bill Fumerola <billf@mu.org>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	Igor Roshchin <str@giganda.komkon.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Danger Ports
References: <20001130164905.E83422@elvis.mu.org> <200012010607.WAA46736@gndrsh.dnsmgr.net> <20001201003102.I83422@elvis.mu.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Bill Fumerola wrote:
> 
> On Thu, Nov 30, 2000 at 10:07:05PM -0800, Rodney W. Grimes wrote:
> 
> > > I wouldn't go as far as BCP.
> >
> > Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8:
> >
> >    Because private addresses have no global meaning, routing information
> >    about private networks shall not be propagated on inter-enterprise
> >    links, and packets with private source or destination addresses
> >                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    should not be forwarded across such links. Routers in networks not
> >           ^^^^^^^^^^^^^^^^^^^^^^^
> >    using private address space, especially those of Internet service
> >    providers, are expected to be configured to reject (filter out)
> >    routing information about private networks. If such a router receives
> >    such information the rejection shall not be treated as a routing
> >    protocol error.
> 
> You're mistaking "should" for "must". RFCs are very anal about pointing out
> the difference between these words. Noncompliance is different then behavior
> deemed suboptimal.

This is a configuration issue as well.  Your ISP may consider their entire
network, including all customers, a private network and dole out 10.x.x.x
addresses to you.  I'd hate to see their NAT tables, unless they're a good
old 6-customer ISP.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message