Re: SV: Portocal 54

Fri, 24 Mar 2000 12:04:04 -0800 

At 9:54 AM +0100 3/24/00, Skough Axel IT-S wrote:
>Dear Bryan, 
>
>The IP protocol 54 is NBMA Next Hop Resolution Protocol, this protocol is
>used to find out tyhe shortest way between two points and is used by some
>routing protocol, I am not sure, maybe the OSPF or something similar. 
>
>We got regular calls here using this protocol, but do not allow it to pass
>our firewall.  This obviously means that the calls cannot complete their
>task - to find out the shortest way to reach our services to the Internet.
>And I should like a discussion  on this IP protocol to find out if there are
>some advantages to us to allow it or if it can act as an entry of misuse to
>map our site, thus possibly generating information to penetrate our site. 

Axel

I've noticed some intersperced with some address scans originating from
a compromised system located at a German University, so I started 
blocking them after reading the RFC.  If you're a leaf node, they have no 
value, if you're a middle level ISP, perhaps, but I'd have to be 
convinced.  BGP4 doesn't use it, I doubt seriously if OSPF does and I
don't run a "nonbroadcast network", so I'm skeptical of it's value.

However, it did wake me up to just allowing TCP, UDP, ICMP(miminmal) and 
not all the other IP protocols.

Chris
Ursus SND


from the RFC: December 1994

 This document describes the NBMA Address Resolution Protocol (NARP).
   NARP can be used by a source terminal (host or router) connected to a
   Non-Broadcast, Multi-Access link layer (NBMA) network to find out the
   NBMA addresses of the a destination terminal provided that the
   destination terminal is connected to the same NBMA network.  Although
   this document focuses on NARP in the context of IP, the technique is
   applicable to other network layer protocols as well.  This RFC is a
   product of the Routing over Large Clouds Working Group of the IETF.

1. Introduction

   The NBMA Address Resolution Protocol (NARP) allows a source terminal
   (a host or router), wishing to communicate over a Non-Broadcast,
   Multi-Access link layer (NBMA) network, to find out the NBMA
   addresses of a destination terminal if the destination terminal is
   connected to the same NBMA network as the source.


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to