On Tue, 18 Jul 2000, Eric A. Hall wrote:
"Richard A. Steenbergen" wrote:
On Mon, 17 Jul 2000, Eric A. Hall wrote:
When ISPs choose to mark their packets with Internet-illegal addresses, they are contributing to these problems. Sorry, but you're not supposed to be using these addresses anyway.
This is utterly stupid. You can use these addresses any way you see fit, you can source packets from them if you'd like, and they are as valid as any other address to use and be "on the internet".
What's dumber?
a) Filtering illegal packets from entering your network because they use your internal address range, because they are classed unroutable and should never appear on that interface, or both
Unroutable means you can't reach where the packets came from, not that the packets can't reach you. Just because you can't reply doesn't mean someone shouldn't be allowed to send you an informative piece of information, like a traceroute ttl-exceed.
b) Sending packets that you KNOW will be dropped or filtered by a good portion of their intended recipients.
This is not true. For the people like you who think they need to filter it, you've accomplished your goal. For the rest of the world, they simply do not care. Obviously its not prefered by anyone to have RFC1918 sourced packets out there, mainly because they're not all that useful. But IMHO your belief that these are "Illegal bad wrong packets which should never appear on that interface" is incorrect. As for the DoS issue, as I explained to someone in private email, there are three distinctions you can break a filter into: 1) It provides security 2) It stops an attack 3) It reduces an attack RFC1918 filters obviously do not provide security. RFC1918 filters obviously do not "stop" any attacks outright. RFC1918 filters reduce the impact of attacks which can spoof by 3.19% I really don't see why you're wasting your time on it. Actually I really don't see why we're waiting our time argueing, this thread has long outlived its usefulness. But IMHO the RFC1918-nazi is not needed. :P -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
"Richard A. Steenbergen" wrote:
Obviously its not prefered by anyone to have RFC1918 sourced packets out there, mainly because they're not all that useful. But IMHO your belief that these are "Illegal bad wrong packets which should never appear on that interface" is incorrect.
They are illegal for two reasons: o 1918 says they should never appear and should be filtered (it's in the spec). o Security is a continuum; filtering traffic that should never appear is one less problem, not the end to all problems. Pardon me for keeping a clean shop that doesn't cause you problems.
I really don't see why you're wasting your time on it. Actually I really don't see why we're waiting our time argueing, this thread has long outlived its usefulness. But IMHO the RFC1918-nazi is not needed. :P
The problem is that you cause other people problems when you crank them out. It's most certainly an operational issue. Being carefree and loose with your network addressing affects other people on the Internet, especially those who follow the rules as prescribed by the specs. over and out -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Tue, Jul 18, 2000 at 05:51:07PM -0700, Eric A. Hall wrote:
They are illegal for two reasons:
o 1918 says they should never appear and should be filtered (it's in the spec).
Should [not] != Must [not]. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org
[ On Tuesday, July 18, 2000 at 20:24:58 (-0400), Richard A. Steenbergen wrote: ]
Subject: Re: RFC 1918
Unroutable means you can't reach where the packets came from, not that the packets can't reach you. Just because you can't reply doesn't mean someone shouldn't be allowed to send you an informative piece of information, like a traceroute ttl-exceed.
Uh huh, and since that packet contains a source address that's *PRIVATE* and replicated a zillion times over in many unfortunately visible nooks and crannies of the Internet, not to mention probably replicated on the privately visible parts of the network you're doing the traceroute from, the information it contains is, at the very least, confusing. Furthermore if indeed you are using that number on your localy *private* network, and if it's any of several ICMP types, it can affect not only the connection it's reporting on, but perhaps other unrelated connections within your *private* network if it is malicious and sufficiently knowledgeable about your network architecture.
Obviously its not prefered by anyone to have RFC1918 sourced packets out there, mainly because they're not all that useful. But IMHO your belief that these are "Illegal bad wrong packets which should never appear on that interface" is incorrect.
Come again!?!?!? Since by the dubious virtues of RFC1918 I'm allowed to use such numbers on my internal *private* network(s), having them appear in any form on any of my external interfaces is definitely 100% illegal in my operations, just as it is illegal for any packet to appear on any of my external interfaces when it claims to have come from one of my internal networks
As for the DoS issue, as I explained to someone in private email, there are three distinctions you can break a filter into:
1) It provides security 2) It stops an attack 3) It reduces an attack
RFC1918 filters obviously do not provide security.
Lack of RFC1918 filters open many vulnerabilities for anyone who might choose to use those numbers internally, so they do in fact provide security just as all anti-spoof filters do.
RFC1918 filters obviously do not "stop" any attacks outright. RFC1918 filters reduce the impact of attacks which can spoof by 3.19%
Exactly, which is why RFC1918 packets are only one part of the necessary anti-spoof filters that all good network neighbours *must* learn to deploy these days.
I really don't see why you're wasting your time on it. Actually I really don't see why we're waiting our time argueing, this thread has long outlived its usefulness. But IMHO the RFC1918-nazi is not needed. :P
Sad to see you feel that way.... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (5)
-
Bill Fumerola
-
Eric A. Hall
-
Richard A. Steenbergen
-
Shawn McMahon
-
woods@weird.com