RFC 2827 is geared towards ISP's but in the RFC it specifically mentions Enterprise administrators so that is why it is on the Security Test.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, April 27, 2010 4:48 AM To: Brandon Carroll Cc: [email protected] Subject: Re: [OSL | CCIE_Security] RFC 2827/3704 Hi Brandon RFC 2827 is specifically meant for ISP ingress filtering right?. It means more to ISP filtering unwanted source addresses from it's customers. Ref - http://www.ietf.org/rfc/rfc3704.txt access-list 123 deny ip 0.0.0.0 0.0.0.255 any access-list 123 deny ip 10.0.0.0 0.255.255.255 any access-list 123 deny ip 127.0.0.0 0.255.255.255 any access-list 123 deny ip 172.16.0.0 0.15.255.255 any access-list 123 deny ip 192.168.0.0 0.0.255.255 any access-list 123 deny ip 224.0.0.0 15.255.255 any access-list 123 deny ip 240.0.0.0 15.255.255 any access-list 123 deny ip host 255.255.255.255 any access-list 123 deny ip host 0.0.0.0 any access-list 123 permit ip any any Added two more entries for 0.0.0.0 and 255.255.255.255 If it is implemented for the customer permiter router to block source addresses from the internet, then you need to add one more entry that blocks source addresses of your internal network. But since, the internal address will be from RFC 1918, the above should take care. If you use public addresses in your network, then we may need to add an entry. Please let me know, your thoughts. With regards Kings On Mon, Apr 26, 2010 at 8:26 PM, Brandon Carroll <[email protected]> wrote: The RFC states that you want to filter traffic that contains source address not legitimately in use by the customer network. Generally that would include 0.0.0.0/8,10.0.0.0/8,127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4,and 240.0.0.0/4, but it's not limited to these addresses. You should also include the address space in use by the internal network. This makes sense since the address space used internally should not be seen as the source in packets from the outside. As RFC 3704 states, on possible solution for this would be uRPF. If you use uRPF you dont need to worry as much about the addresses that you use. If you use ACLs on ingress you do. The reason you've probably seen differences in the ACLs probably relates to the networks used in the examples. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> Platinum Solutions Group (PSG) provides high-end consulting services with a primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions, Unified Communications and Security-enabled infrastructures. Be sure to visit www.platinumsolutionsgroup.com <http://www.platinumsolutionsgroup.com/> . On Apr 26, 2010, at 6:36 AM, Kingsley Charles wrote: Hi all Can someone please let me know, the addresses for RFC 2827/3704 that should be followed. I see differences, in the way they are implemented in various sites. The RFCs also does not mention specific addresses for RFC 2827/3704 as it does for RFC 1918/3330. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
