[ On Sunday, July 16, 2000 at 16:58:52 (-0700), Bohdan Tashchuk wrote: ]
Subject: Re: RFC 1918
Line #2 allows relatively benign incoming ICMP, such as "fragmentation needed", but hopefully blocks the more problematic stuff.
That might be just fine for *you* and anyone *exactly* like you who will *never* use RFC1918 addresses internally yourself. However *everyone* who does use such addresses cannot even allow "harmless ICMP" through as it can suddenly be *far* from harmless. It really really really really is best for *everyone* if *all* RFC1918 addresses, src or dst, *always* gets filtered everywhere possible. The more redundancy here then the better everyone is protected against both their own mistakes as well as those of others. Even better of course is full ingres/egress filtering of spoofed addresses, which of course will obviously block RFC1918 packets along with all other illegal packets. Once you go beyond merely protecting everyone from their mistakes and those of others and you add in the potential malicious uses of such illegal packets (both RFC1918, as well as otherwise spoofed packets), well then the argument becomes overwhelming in favour of full filtering everywhere possbile.
Of course I never send packets to the Internet with an RFC1918 address in them.
Exactly, and so long as anyone who does use such numbers internally is always 100% absolutely perfect in configuring their routers then there's no reason *not* to filter RFC1918 addresses everywhere else to prevent the malicious uses! ;-) Furthermore anyone "accidentally" using any addresses not explicitly assigned to them in publicly accessible places will more quickly learn the error of their ways if all such illegal use is blocked, logged, and reported, at the closest possible point to their borders. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>