Exodus / Clue problems
Daniel Senie
dts at senie.com
Mon Nov 16 21:02:34 UTC 1998
John Fraizer wrote:
>
> Why on earth would anyone let any of the following networks in to their
> network at the border?
>
> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16
>
> Hell, for that matter, I block anything claiming to be from our networks as
> well. There's no way they'll be originating from the outside unless it's
> spoofed.
>
> Nothing and I mean NOTHING claiming to be from any of them at your border
> is valid.
Define "network border." I used to block all traffic from or to RFC1918
addresses, but my present upstream is using 10.0.0.0/8 and
172.16.0.0/16, at least, for their internal use. So, the IP address of
the WAN interface on my router connecting to them has a 10.0.0.0/8
address. If I block incoming traffic to 10.0.0.0/8, they can't monitor
my net.
It appears this is becoming the preferred way for ISPs to limit their
use of address space for internal-only functions. While this makes sense
at some levels, attached corporate networks may have already used those
addresses. The result is some level of confusion, though for the most
part it doesn't break too many things. Mostly, it's just annoying since
firewalls can't filter out stuff they'd otherwise limit.
In cases where ISPs use RFC1918 addresses within their networks, they
really should:
- Tell their downstream customers WHICH of these blocks are in use.
- Provide filters at peering points that ensure RFC1918 addresses from
outside the ISP's space do not come in from outside.
- Provide Ingress filtering at all downstream customer ports to ensure
only valid source IP addresses come from their customers.
Dan
--
-----------------------------------------------------------------
Daniel Senie dts at senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.com
More information about the NANOG
mailing list