BCP38 exceptions for RFC1918 space
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sun Aug 15 16:26:38 UTC 2010
On Sun, 15 Aug 2010 18:14:41 +0200, Florian Weimer said:
> What's the current consensus on exempting private network space from
> source address validation? Is it recommended? Discouraged?
What you do on your internal networks and internal transit is your business.
BCP38 talks about where you connect to the rest of the world.
RFC 1918 is specific that you're supposed to get all medieval on any escaping packets:
It is strongly recommended that routers which connect enterprises to
external networks are set up with appropriate packet and routing
filters at both ends of the link in order to prevent packet and
routing information leakage. An enterprise should also filter any
private networks from inbound routing information in order to protect
itself from ambiguous routing situations which can occur if routes to
the private address space point outside the enterprise.
> (One argument in favor of exceptions is that it makes PMTUD work if
> transfer networks use private address space.)
And that connection that's trying to use PMTU got established across the
commodity internet, how, exactly? ;) That implies you let some routing
info escape and got one of those "ambiguous routing situations".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100815/7c78f202/attachment.sig>
More information about the NANOG
mailing list