rfc1918 ignorant

David Schwartz davids at webmaster.com
Wed Jul 23 17:36:47 UTC 2003




> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> variable at ednet.co.uk
> Sent: Wednesday, July 23, 2003 6:10 AM
> To: Dave Temkin
> Cc: nanog at merit.edu
> Subject: re: rfc1918 ignorant
>
>
>
> On Wed, 23 Jul 2003, Dave Temkin wrote:
>
> > Is this really an issue?  So long as they're not advertising the space I
> > see no issue with routing traffic through a 10. network as transit.  If
> > you have no reason to reach their router directly (and after
> Cisco's last
> > exploit, I'd think no one would want anyone to reach their
> router directly
> > :-) ), what's the harm done?
>
> If Frank's seeing the IP in his traceroute then the network concerned
> isn't properly filtering traffic leaving their borders as per BCP38:
>
> http://www.faqs.org/rfcs/bcp/bcp38.html

	They're not complying with RFC1918 either:

   In order to use private address space, an enterprise needs to
   determine which hosts do not need to have network layer connectivity
   outside the enterprise in the foreseeable future and thus could be
   classified as private. Such hosts will use the private address space
   defined above.  Private hosts can communicate with all other hosts
   inside the enterprise, both public and private. However, they cannot
   have IP connectivity to any host outside of the enterprise. While not
   having external (outside of the enterprise) IP connectivity private
   hosts can still have access to external services via mediating
   gateways (e.g., application layer gateways).

   All other hosts will be public and will use globally unique address
   space assigned by an Internet Registry. Public hosts can communicate
   with other hosts inside the enterprise both public and private and
   can have IP connectivity to public hosts outside the enterprise.
   Public hosts do not have connectivity to private hosts of other
   enterprises.

	and

   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links. Routers in networks not
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing
   protocol error.

   Indirect references to such addresses should be contained within the
   enterprise. Prominent examples of such references are DNS Resource
   Records and other information referring to internal private
   addresses. In particular, Internet service providers should take
   measures to prevent such leakage.

	It's pretty clear that devices with network layer connectivity outside the
etnerprise are not private and thus can't be numbered inside private IP
space.

	DS





More information about the NANOG mailing list