rfc1918 ignorant
David Schwartz
davids at webmaster.com
Wed Jul 23 17:36:47 UTC 2003
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> variable at ednet.co.uk
> Sent: Wednesday, July 23, 2003 6:10 AM
> To: Dave Temkin
> Cc: nanog at merit.edu
> Subject: re: rfc1918 ignorant
>
>
>
> On Wed, 23 Jul 2003, Dave Temkin wrote:
>
> > Is this really an issue? So long as they're not advertising the space I
> > see no issue with routing traffic through a 10. network as transit. If
> > you have no reason to reach their router directly (and after
> Cisco's last
> > exploit, I'd think no one would want anyone to reach their
> router directly
> > :-) ), what's the harm done?
>
> If Frank's seeing the IP in his traceroute then the network concerned
> isn't properly filtering traffic leaving their borders as per BCP38:
>
> http://www.faqs.org/rfcs/bcp/bcp38.html
They're not complying with RFC1918 either:
In order to use private address space, an enterprise needs to
determine which hosts do not need to have network layer connectivity
outside the enterprise in the foreseeable future and thus could be
classified as private. Such hosts will use the private address space
defined above. Private hosts can communicate with all other hosts
inside the enterprise, both public and private. However, they cannot
have IP connectivity to any host outside of the enterprise. While not
having external (outside of the enterprise) IP connectivity private
hosts can still have access to external services via mediating
gateways (e.g., application layer gateways).
All other hosts will be public and will use globally unique address
space assigned by an Internet Registry. Public hosts can communicate
with other hosts inside the enterprise both public and private and
can have IP connectivity to public hosts outside the enterprise.
Public hosts do not have connectivity to private hosts of other
enterprises.
and
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.
Indirect references to such addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage.
It's pretty clear that devices with network layer connectivity outside the
etnerprise are not private and thus can't be numbered inside private IP
space.
DS
More information about the NANOG
mailing list