John Fraizer wrote:
Why on earth would anyone let any of the following networks in to their network at the border?
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Hell, for that matter, I block anything claiming to be from our networks as well. There's no way they'll be originating from the outside unless it's spoofed.
Nothing and I mean NOTHING claiming to be from any of them at your border is valid.
Define "network border." I used to block all traffic from or to RFC1918 addresses, but my present upstream is using 10.0.0.0/8 and 172.16.0.0/16, at least, for their internal use. So, the IP address of the WAN interface on my router connecting to them has a 10.0.0.0/8 address. If I block incoming traffic to 10.0.0.0/8, they can't monitor my net. It appears this is becoming the preferred way for ISPs to limit their use of address space for internal-only functions. While this makes sense at some levels, attached corporate networks may have already used those addresses. The result is some level of confusion, though for the most part it doesn't break too many things. Mostly, it's just annoying since firewalls can't filter out stuff they'd otherwise limit. In cases where ISPs use RFC1918 addresses within their networks, they really should: - Tell their downstream customers WHICH of these blocks are in use. - Provide filters at peering points that ensure RFC1918 addresses from outside the ISP's space do not come in from outside. - Provide Ingress filtering at all downstream customer ports to ensure only valid source IP addresses come from their customers. Dan -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com