address spoofing

Andrew Brown twofsonet at
Fri Apr 23 21:38:23 UTC 1999

>First of all, everyone seems to think that this paragraph:
>> "Because private addresses have no global meaning, routing information
>> about private networks shall not be propagated on inter-enterprise
>> links, and packets with private source or destination addresses should
>> not be forwarded across such links. Routers in networks not using
>> private address space, especially those of Internet service providers,
>> are expected to be configured to reject (filter out) routing information
>> about private networks. If such a router receives such Information the
>> rejection shall not be treated as a routing protocol error."
>means that packets with source addresses from RFC 1918 space should not be
>permitted on the global internet.   While I agree that RFC 1918 addresses
>should not be used on internet visible interfaces, I'm unaware of anywhere
>in the RFC's where it says that "routers should be configured to reject
>packets coming from RFC 1918 space."   In fact, I can think of several
>things which this will likely break, such as MTU path discovery.   Note
>that "routing information" is NOT the same as "packets from RFC1918

well...there is that part about

   ...packets with private source or destination addresses should not be
   forwarded across such links.

that sort of clears it up for me.

>Also, I've seen several people filtering stuff on borders such as:
>  deny tcp any any eq 2049
>  (and several other >1024 port numbers)
>Remember, on machines where nothing is bound to 2049, 2049 is a perfectly
>acceptable port to use for ANY type of TCP connection.   Only ports below
>1024 are reserved.   If you happen to have a filter on say port 2049
>between you and the destination and your TCP implementation gives you 2049
>for a given TCP connection, the connection will fail.

...which was a mistake anyway.  whoever it was that was developing nfs
decided to hardcode 2049 so that (a) it could be done as a regular
user and (b) it could be done even without portmapper support (even
though it was rpc based).  it *should* have been moved to a reserved
or well-known port before official release, but it was not.

|-----< "CODE WARRIOR" >-----|
codewarrior at             * "ah!  i see you have the internet
twofsonet at (Andrew Brown)                that goes *ping*!"
andrew at       * "information is power -- share the wealth."

More information about the NANOG mailing list