[ On Friday, April 23, 1999 at 21:25:29 (-0500), Phil Howard wrote: ]
Subject: Re: address spoofing
So are you making a case to allow RFC1918 source addresses out into the network?
Huh? No, I thought I was saying very much the opposite! I don't want my upstream provider to use RFC1918 on inter-router links, but they do anyway. I'd like them to filter those addresses too, but they won't.
How do you hide an IP network?
If you do all your internal routing over ATM or FR virtual circuits then you won't need to (and in fact cannot) use IP numbers for those circuits -- it all looks like the physical layer from IP's perspective (the theory being that if you don't need IPs for inter-router links then you won't be using precious unique IPs and feel the pressure to use RFC1918 numbers instead). I'm certainly no expert at this, but from the outside I've seen it done quite successfully. It sure cuts down on the hop count visible from traceroute too! It's damn near impossible to debug from the outside, of course, but sometimes that's desirable! ;-)
If you're proposing another set of addresses be reserved for uses like this, then I'd be in favor of it with you. Using RFC1918 is certainly not the best way to do this, but using allocated space is no better as long as allocations are tight.
Using any other set of reserved addresses would have exactly the same problem as using RFC1918 addresses has. The only two viable options are to either use globally unique addresses, or not to use any IP routing internally at all.
People don't know how to separate their internet DNS from intranet DNS. Or maybe they don't want to put the money into that kind of structure. If BIND could be modified to deliver different results depending on the source of the request, or it's interface, then it might become easy for people to setup DNS to avoid this.
Yes, it can be done, but even I am not yet using the latest software, which makes this much easier, on all the machines I manage. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>