address spoofing

• Previous message (by thread): address spoofing
• Next message (by thread): address spoofing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>First of all, everyone seems to think that this paragraph:
>
>> "Because private addresses have no global meaning, routing information
>> about private networks shall not be propagated on inter-enterprise
>> links, and packets with private source or destination addresses should
>> not be forwarded across such links. Routers in networks not using
>> private address space, especially those of Internet service providers,
>> are expected to be configured to reject (filter out) routing information
>> about private networks. If such a router receives such Information the
>> rejection shall not be treated as a routing protocol error."
>
>means that packets with source addresses from RFC 1918 space should not be
>permitted on the global internet.   While I agree that RFC 1918 addresses
>should not be used on internet visible interfaces, I'm unaware of anywhere
>in the RFC's where it says that "routers should be configured to reject
>packets coming from RFC 1918 space."   In fact, I can think of several
>things which this will likely break, such as MTU path discovery.   Note
>that "routing information" is NOT the same as "packets from RFC1918
>space".

well...there is that part about

   ...packets with private source or destination addresses should not be
   forwarded across such links.

that sort of clears it up for me.

>Also, I've seen several people filtering stuff on borders such as:
>
>  deny tcp any any eq 2049
>  (and several other >1024 port numbers)
>
>Remember, on machines where nothing is bound to 2049, 2049 is a perfectly
>acceptable port to use for ANY type of TCP connection.   Only ports below
>1024 are reserved.   If you happen to have a filter on say port 2049
>between you and the destination and your TCP implementation gives you 2049
>for a given TCP connection, the connection will fail.

...which was a mistake anyway.  whoever it was that was developing nfs
decided to hardcode 2049 so that (a) it could be done as a regular
user and (b) it could be done even without portmapper support (even
though it was rpc based).  it *should* have been moved to a reserved
or well-known port before official release, but it was not.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior at daemon.org             * "ah!  i see you have the internet
twofsonet at graffiti.com (Andrew Brown)                that goes *ping*!"
andrew at crossbar.com       * "information is power -- share the wealth."

• Previous message (by thread): address spoofing
• Next message (by thread): address spoofing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]