nanog mailing list archives
Re: address spoofing
From: "Forrest W. Christian" <forrestc () iMach com>
Date: Fri, 23 Apr 1999 15:17:09 -0600 (MDT)
There have been a couple of things brought up here which bother me. First of all, everyone seems to think that this paragraph:
"Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such Information the rejection shall not be treated as a routing protocol error."
means that packets with source addresses from RFC 1918 space should not be permitted on the global internet. While I agree that RFC 1918 addresses should not be used on internet visible interfaces, I'm unaware of anywhere in the RFC's where it says that "routers should be configured to reject packets coming from RFC 1918 space." In fact, I can think of several things which this will likely break, such as MTU path discovery. Note that "routing information" is NOT the same as "packets from RFC1918 space". Also, I've seen several people filtering stuff on borders such as: deny tcp any any eq 2049 (and several other >1024 port numbers) Remember, on machines where nothing is bound to 2049, 2049 is a perfectly acceptable port to use for ANY type of TCP connection. Only ports below 1024 are reserved. If you happen to have a filter on say port 2049 between you and the destination and your TCP implementation gives you 2049 for a given TCP connection, the connection will fail. - Forrest W. Christian (forrestc () imach com) ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
Current thread:
- address spoofing Randy Bush (Apr 22)
- Re: address spoofing Gary E. Miller (Apr 22)
- Re: address spoofing Jared Mauch (Apr 22)
- Re: address spoofing Randy Bush (Apr 22)
- Re: address spoofing Tim Finkenstadt (Apr 22)
- Re: address spoofing Jeremy Porter (Apr 22)
- Re: address spoofing John Leong (Apr 23)
- Re: address spoofing John Leong (Apr 23)
- Re: address spoofing Simon Leinen (Apr 27)
- Re: address spoofing Jared Mauch (Apr 22)
- Re: address spoofing Gary E. Miller (Apr 22)
- Re: address spoofing Daniel Senie (Apr 22)
- Re: address spoofing Forrest W. Christian (Apr 23)
- Re: address spoofing Andrew Brown (Apr 23)
- Re: address spoofing Forrest W. Christian (Apr 23)
- Re: address spoofing sthaug (Apr 23)
- Re: address spoofing John Leong (Apr 23)
- Re: address spoofing Daniel Senie (Apr 23)
- Re: address spoofing bmanning (Apr 23)
- Re: address spoofing Andrew Brown (Apr 23)
- Re: address spoofing Randy Bush (Apr 23)
- Re: address spoofing Dan Hollis (Apr 23)
- Re: address spoofing sthaug (Apr 23)