Security Incidents mailing list archives
Re: Private networks and home.{net|com}
From: marcs () ZNEP COM (Marc Slemko)
Date: Wed, 9 Feb 2000 09:27:48 -0700
On Tue, 8 Feb 2000, Andersson, Rasmus wrote:
Yes, there is something you don't completely understand :-) The private nets are not routed on the Internet. A very good example of use for that is link networks, just connecting two or more routers. Besides saving public addresses, it adds some security. In what way does that "destroy the meaning of the concept"? You cannot reach that router, and you have no reason for doing that. But that router can reach you with ICMP messages if need be. Or route your packets. This is why you should not filter ALL packets from private nets, you must let ICMP unreachables and time-exceededs through. Otherwise you will break Path-MTU-discovery.
No. This is why systems that generate ICMP messages sent to public IPs from private source addresses are broken. It is perfectly legitimate to filter all traffic from private address space and, in fact, is often a necessary part of a security policy if you are using those addresses yourself. That is why they are called private addresses; by their very intent, they will be used at more than one site. So no site can make presumptions about packets with a private source address making it to any given remote system. It is fine to use private IPs for link addresses as long as they never generate any traffic which is seen by the outside world and which is sourced from that IP. The moment they do, your network is broken. It is not the fault of the people that are legitimately filtering such bogus packets. In general, I recommend against using private address space for link addresses for exactly this reason.
Current thread:
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 08)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)
- Re: Private networks and home.{net|com} Pavel Kankovsky (Feb 10)
- <Possible follow-ups>
- Re: Private networks and home.{net|com} Andersson, Rasmus (Feb 08)
- Re: Private networks and home.{net|com} Marc Slemko (Feb 09)
- Re: Private networks and home.{net|com} Sachs, Marcus (Feb 09)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Jeffrey Papen (Feb 10)
- Re: Private networks and home.{net|com} Rasmus Andersson (Feb 09)