address spoofing

Sat Apr 24 02:25:29 UTC 1999

Greg A. Woods wrote:

> [ On Friday, April 23, 1999 at 00:59:06 (-0500), Phil Howard wrote: ]
> > Subject: Re: address spoofing
> >
> > My outbound access lists block it, so you should never see 1918
> > sources coming from me.  You should see "* * *" instead, even
> > if you don't block them coming in to your net.
> 
> I think this sucks big-time.  It wouldn't be quite so bad if traceroute
> were the only thing that were broken by it (though I do like my
> traceroutes to work properly too), but when all ICMP traffic from such a
> router is hosed, and one of the links my packets are trying to hop onto
> through such a router is down, then I'm a particularly unhappy camper
> (if I could see the !H or !N I'd still be unhappy of course, but not
> throwing my arms up in disgust at the guy generating the * * *).  Of
> course even an upstream provider from my own home network does this,
> depsite the fact I've chided and cajoled and otherwise bugged them to
> change it.

So are you making a case to allow RFC1918 source addresses out into the
network?

> Now in Phil's networks perhaps it is normally impossible for illegally
> formed host-unreachables to be generated even in the face of outages
> because hopefully he's got everything running fully redundant, but *I*
> see this kind of breakage from all kinds of places many times a day in
> the filter logs on my networks and those of my clients.
> 
> There's also not really any difference between you blocking those
> packets on the way out, and me blocking them on the way in -- the end
> result is that all ICMP and whatever else from those routers is busted.
> 
> Perhaps router vendors can figure out some way to ensure that all
> packets generated by a router get a unique, valid, non-RFC1918 number
> when they would otherwise have used an RFC1918 number.  Maybe people who
> think they need to use RFC1918 should instead just hide all their
> internal crap in a big ATM or FR cloud.

How do you hide an IP network?

If you're proposing another set of addresses be reserved for uses like
this, then I'd be in favor of it with you.  Using RFC1918 is certainly
not the best way to do this, but using allocated space is no better as
long as allocations are tight.

> Then there's the crap I see in the filter logs on my HTTP transparent
> cache and proxy machines that seems to indicate people have publicly
> published URLs (perhaps with publicly visible DNS) that point at RFC1918
> space.....  Grrrrr.

People don't know how to separate their internet DNS from intranet DNS.
Or maybe they don't want to put the money into that kind of structure.
If BIND could be modified to deliver different results depending on the
source of the request, or it's interface, then it might become easy for
people to setup DNS to avoid this.

-- 
Phil Howard           KA9WGN
phil at intur.net phil at ipal.net