In the referenced message, Walter Klomp said:
As far as I know .0 and .255 are network and broadcast addresses respectively, NEVER should a workstation be configured on these addresses, unless something drastically changed in the RFC's for IPv4 which I am not aware of...
only on a /24. on /0 - /23 only the first .0 is network, and the last .255 broadcast. on /25-/30 it depends on where the network begins and ends. /31 has no directed broadcast. /32 is a single host and similarly has no directed broadcast.
I for one am filtering .0 and .255 at my border routers, and also rate limiting echo at a reasonable rate... and have never gotten a complaint about people not being able to reach or be reached...
Walter Klomp
Date: Tue, 22 Jan 2002 11:48:52 -0500 (EST) From: Stephen Griffin <stephen.griffin@rcn.com>
In the referenced message, Walter Klomp said:
As far as I know .0 and .255 are network and broadcast addresses respectively, NEVER should a workstation be configured on these addresses, unless something drastically changed in the RFC's for IPv4 which I am not aware of...
CIDR
only on a /24. on /0 - /23 only the first .0 is network, and the last .255 broadcast. on /25-/30 it depends on where the network begins and ends. /31 has no directed broadcast. /32 is a single host and similarly has no directed broadcast.
Or, put another way: Do the addresses in binary. Then convert to dotted quad.
I for one am filtering .0 and .255 at my border routers, and also rate limiting echo at a reasonable rate... and have never gotten a complaint about people not being able to reach or be reached...
Ughh. Take 10.0.0.0/22: What is 10.0.0.255? How about 10.0.1.0? Misconfiguration like this is why I (and others) recommend not using ...0 or ...255 addresses, even if valid. As you (Stephen) pointed out, what about 172.16.16.16/29? The smurf amplifiers there would be 172.16.16.16 and 172.16.16.23. In incomplete C: uint32_t ip_addr ; uint32_t netmask ; /* assume that it's valid */ if ( 0 == (ip_addr & ~netmask) ) this_is_all_0s ; if ( ~netmask == (ip_addr & ~netmask) ) this_is_all_1s ; Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Tue, Jan 22, 2002 at 05:04:36PM +0000, E.B. Dreger wrote:
Ughh. Take 10.0.0.0/22: What is 10.0.0.255? How about 10.0.1.0?
Misconfiguration like this is why I (and others) recommend not using ...0 or ...255 addresses, even if valid.
[snip] A quick look on IRC provides this: 146.172.78.255 ti511220a080-0255.bb.online.no 61.211.184.255 255.net061211184.t-com.ne.jp 24.127.52.255 we-24-127-52-255.we.mediaone.net 217.156.28.255 217.156.28.255 172.190.251.255 ACBEFBFF.ipt.aol.com 24.129.205.0 24.129.205.0 158.39.125.0 pc5000.ikt.ssin.no 146.172.31.0 ti121210a080-0768.bb.online.no 148.64.142.0 vsat-148-64-142-0.c7.sb7.mrt.starband.net 146.172.33.0 ti100710a080-0256.bb.online.no 66.110.162.0 adsl-66.110.162-0.globetrotter.net 146.172.33.0 ti100710a080-0256.bb.online.no 172.189.1.0 ACBD0100.ipt.aol.com Granted, it's a small sample, but it proves that these [valid] addresses are in widespread use, they do work, and there's no real reason to not use them.. Filtering on *.255 and *.0 won't catch the other broadcast/network addresses on different subnet masks, and you wouldn't have to filter at all if the network we properly configured =)
Eddy
-- Matthew S. Hallacy CACU, PWGCS, and BOFH Certified http://techmonkeys.org/~poptix GPG public key 0x01938203
participants (3)
-
E.B. Dreger -
Matthew S. Hallacy -
Stephen Griffin