nanog mailing list archives
Re: address spoofing
From: woods () most weird com (Greg A. Woods)
Date: Sat, 24 Apr 1999 13:01:48 -0400 (EDT)
[ On Friday, April 23, 1999 at 21:25:29 (-0500), Phil Howard wrote: ]
Subject: Re: address spoofing So are you making a case to allow RFC1918 source addresses out into the network?
Huh? No, I thought I was saying very much the opposite! I don't want my upstream provider to use RFC1918 on inter-router links, but they do anyway. I'd like them to filter those addresses too, but they won't.
How do you hide an IP network?
If you do all your internal routing over ATM or FR virtual circuits then you won't need to (and in fact cannot) use IP numbers for those circuits -- it all looks like the physical layer from IP's perspective (the theory being that if you don't need IPs for inter-router links then you won't be using precious unique IPs and feel the pressure to use RFC1918 numbers instead). I'm certainly no expert at this, but from the outside I've seen it done quite successfully. It sure cuts down on the hop count visible from traceroute too! It's damn near impossible to debug from the outside, of course, but sometimes that's desirable! ;-)
If you're proposing another set of addresses be reserved for uses like this, then I'd be in favor of it with you. Using RFC1918 is certainly not the best way to do this, but using allocated space is no better as long as allocations are tight.
Using any other set of reserved addresses would have exactly the same problem as using RFC1918 addresses has. The only two viable options are to either use globally unique addresses, or not to use any IP routing internally at all.
People don't know how to separate their internet DNS from intranet DNS. Or maybe they don't want to put the money into that kind of structure. If BIND could be modified to deliver different results depending on the source of the request, or it's interface, then it might become easy for people to setup DNS to avoid this.
Yes, it can be done, but even I am not yet using the latest software, which makes this much easier, on all the machines I manage. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: address spoofing, (continued)
- Re: address spoofing Phillip Vandry (Apr 23)
- Re: address spoofing Greg A. Woods (Apr 23)
- Re: address spoofing Phil Howard (Apr 23)
- Re: address spoofing Bryan Bradsby (Apr 23)
- Re: address spoofing Phil Howard (Apr 23)
- Re: address spoofing Andrew Brown (Apr 23)
- Re: address spoofing Phil Howard (Apr 25)
- Re: address spoofing sthaug (Apr 25)
- Re: address spoofing Andrew Brown (Apr 25)
- RE: address spoofing Roeland M.J. Meyer (Apr 26)
- Re: address spoofing Greg A. Woods (Apr 24)
- Re: address spoofing Phil Howard (Apr 25)
- Re: address spoofing alex (Apr 25)
- Re: address spoofing Phil Howard (Apr 25)
- Re: address spoofing Daniel Senie (Apr 25)
- Re: address spoofing Phil Howard (Apr 25)
- Re: address spoofing Greg A. Woods (Apr 25)
- Re: address spoofing bmanning (Apr 22)