nanog mailing list archives

Re: RFC 1918

From: "Richard A. Steenbergen" <ras () e-gerbil net>
Date: Tue, 18 Jul 2000 20:24:58 -0400 (EDT)


On Tue, 18 Jul 2000, Eric A. Hall wrote:

"Richard A. Steenbergen" wrote:


On Mon, 17 Jul 2000, Eric A. Hall wrote:

When ISPs choose to mark their packets with Internet-illegal
addresses, they are contributing to these problems. Sorry, but
you're not supposed to be using these addresses anyway.


This is utterly stupid. You can use these addresses any way you see
fit, you can source packets from them if you'd like, and they are as
valid as any other address to use and be "on the internet".


What's dumber?

 a) Filtering illegal packets from entering your network because
    they use your internal address range, because they are classed
    unroutable and should never appear on that interface, or both


Unroutable means you can't reach where the packets came from, not that the
packets can't reach you. Just because you can't reply doesn't mean someone
shouldn't be allowed to send you an informative piece of information, like
a traceroute ttl-exceed.

 b) Sending packets that you KNOW will be dropped or filtered by
    a good portion of their intended recipients.

 
This is not true. For the people like you who think they need to filter
it, you've accomplished your goal. For the rest of the world, they simply
do not care.
 
Obviously its not prefered by anyone to have RFC1918 sourced packets out
there, mainly because they're not all that useful. But IMHO your belief
that these are "Illegal bad wrong packets which should never appear on
that interface" is incorrect.

As for the DoS issue, as I explained to someone in private email, there
are three distinctions you can break a filter into:

1) It provides security
2) It stops an attack 
3) It reduces an attack                                                         

RFC1918 filters obviously do not provide security.
RFC1918 filters obviously do not "stop" any attacks outright.
RFC1918 filters reduce the impact of attacks which can spoof by 3.19%

I really don't see why you're wasting your time on it. Actually I really
don't see why we're waiting our time argueing, this thread has long
outlived its usefulness. But IMHO the RFC1918-nazi is not needed. :P

-- 
Richard A Steenbergen <ras () e-gerbil net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

Current thread:

Re: RFC 1918, (continued)
- - - Re: RFC 1918 ww (Jul 17)
    - Re: RFC 1918 Eric A. Hall (Jul 17)
    - Re: RFC 1918 ww (Jul 17)
    - Re: RFC 1918 Scott McGrath (Jul 18)
    - Re: RFC 1918 Stephen Kowalchuk (Jul 17)
    - Re: RFC 1918 ww (Jul 17)
- Re: RFC 1918 Richard A. Steenbergen (Jul 18)
  - Re: RFC 1918 Eric A. Hall (Jul 18)
  - Filtering (was Re: RFC 1918) Valdis . Kletnieks (Jul 18)
    - Re: Filtering (was Re: RFC 1918) Paul Vixie (Jul 19)
- Re: RFC 1918 Richard A. Steenbergen (Jul 18)
  - Re: RFC 1918 Eric A. Hall (Jul 18)
    - Re: RFC 1918 Bill Fumerola (Jul 18)
    - Re: RFC 1918 Shawn McMahon (Jul 19)
  - Re: RFC 1918 Greg A. Woods (Jul 18)