The power of default configurations

Sean Donelan sean at donelan.com
Mon Apr 11 01:15:39 UTC 2005


On Thu, 7 Apr 2005, Christopher L. Morrow wrote:
> no to 1) prolong the pain, 2) beat a horsey.. BUT, why are 1918 ips
> 'special' to any application? why are non-1918 ips 'special' in a
> different way?

Because they're 'special.'

But you are correct, there is nothing special about RFC1918 at the
network.

If people did proper source address validation they wouldn't send RFC1918
addresses along with a lot of other junk. RFC1918 are actually a very
small amount of the junk packets, they are just easy for people like
Paul to detect. Its just harder to detect the other mis-configured
address ranges.  CYMRU bogons are pretty funny when you think about
it, if the bad guys can spoof packets why would they spoof address
ranges that are easy to filter?  You want anti-spoofing of all addresses,
not special address ranges.

The other side.  A lot of software programmers and network architects and
security consultants think RFC1918 addresses are special.  This leads
to a lot of mis-configured (or more precisely, never configured) software.

How can we make more software "safe by default?"  Because relying on the
user or sysadmin to make it safe isn't working.  That includes safe
default configurations that are conservative in what they send, such as
doing RFC1918 lookups against root name servers.  The original BIND
from Berkeley included a "localhost" file, why not a "workgroup" file
and an RFC1918 file?





More information about the NANOG mailing list