BCP38 exceptions for RFC1918 space

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Aug 15 11:26:38 CDT 2010


On Sun, 15 Aug 2010 18:14:41 +0200, Florian Weimer said:
> What's the current consensus on exempting private network space from
> source address validation?  Is it recommended?  Discouraged?

What you do on your internal networks and internal transit is your business.
BCP38 talks about where you connect to the rest of the world.

RFC 1918 is specific that you're supposed to get all medieval on any escaping packets:

   It is strongly recommended that routers which connect enterprises to
   external networks are set up with appropriate packet and routing
   filters at both ends of the link in order to prevent packet and
   routing information leakage. An enterprise should also filter any
   private networks from inbound routing information in order to protect
   itself from ambiguous routing situations which can occur if routes to
   the private address space point outside the enterprise.

> (One argument in favor of exceptions is that it makes PMTUD work if
> transfer networks use private address space.)

And that connection that's trying to use PMTU got established across the
commodity internet, how, exactly? ;)  That implies you let some routing
info escape and got one of those "ambiguous routing situations". 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100815/7c78f202/attachment.bin>


More information about the NANOG mailing list