address spoofing

Forrest W. Christian forrestc at iMach.com
Fri Apr 23 21:17:09 UTC 1999 

There have been a couple of things brought up here which bother me.

First of all, everyone seems to think that this paragraph:

> "Because private addresses have no global meaning, routing information
> about private networks shall not be propagated on inter-enterprise
> links, and packets with private source or destination addresses should
> not be forwarded across such links. Routers in networks not using
> private address space, especially those of Internet service providers,
> are expected to be configured to reject (filter out) routing information
> about private networks. If such a router receives such Information the
> rejection shall not be treated as a routing protocol error."

means that packets with source addresses from RFC 1918 space should not be
permitted on the global internet.   While I agree that RFC 1918 addresses
should not be used on internet visible interfaces, I'm unaware of anywhere
in the RFC's where it says that "routers should be configured to reject
packets coming from RFC 1918 space."   In fact, I can think of several
things which this will likely break, such as MTU path discovery.   Note
that "routing information" is NOT the same as "packets from RFC1918
space".

Also, I've seen several people filtering stuff on borders such as:

  deny tcp any any eq 2049
  (and several other >1024 port numbers)

Remember, on machines where nothing is bound to 2049, 2049 is a perfectly
acceptable port to use for ANY type of TCP connection.   Only ports below
1024 are reserved.   If you happen to have a filter on say port 2049
between you and the destination and your TCP implementation gives you 2049
for a given TCP connection, the connection will fail.

- Forrest W. Christian (forrestc at imach.com) 
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com
Solutions for your high-tech problems.  (406)-442-6648
----------------------------------------------------------------------

More information about the NANOG mailing list