Steve Costaras enscribed thusly:
> Yes, according to RFC 1918 the ranges:
> 10.0.0.0 - 10.255.255.255 (10/8 prefix)
> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
> should be blocked by your ISP from getting on to the wires. However, I
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
No...
I think that is an extrapolation based on the RFC but is
not in the RFC at all. I could be wrong, and I welcome anyone who can
state emphatically where in that RFC is says that source addresses of
this form must be blocked. Actually, I don't think the RFC CAN specify
this because it would have to deal with "block at what point" or "blocked
at what interface". Do we block it at the border gateways and autonomous
systems or do we block it at all routers (which would screw some private
networks royally).
No...
The RFC merely states that these addresses will not be assigned
and, as such, will never have a routing advertisement. It does not mean
that they must be blocked or handled any different from any other
unassigned address. It merely guarentees that they will never BE ASSIGNED.
As such, they can never be routed. It says nothing about being blocked.
> have dealt with 5 major ISP's (digex, UUnet, PSI, et al to name a few)
> that DO NOT follow, nor do they want to follow this RFC. They would not
> give any reasons as to why and frankly I don't see why any major ISP would
> want to carry extra 'junk' traffic on their backbones. The only solution is
> to block it at your incoming serial interface. Ie. w/ a cisco something
> like
> this:
> access-list 103 deny ip 10.0.0.0 0.255.255.255 any
> access-list 103 deny ip 172.16.0.0 0.15.255.255 any
> access-list 103 deny ip 192.168.0.0 0.0.255.255 any
> access-list 103 deny ip 127.0.0.0 0.255.255.255 any
> access-list 103 deny ip 255.0.0.0 0.255.255.255 any
> access-list 103 deny ip host 0.0.0.0 any
> access-list 103 deny ip 207.238.162.0 0.0.0.255 any
This is something that everyone using the reserved addresses should
provide for themselves. You can NOT depend on an ISP doing this for you for
the simple reason that THEY may have reserved addresses in use or other
customers with reserved addresses in use. It is totally up to the user
of those addresses to provide the layers of blocking, insulation, and
translation required by that use. It is NOT up to the ISP.
> This will:
> 1) block the private address ranges
> 2) block the loopback address (127.0.0.*) which should also not be forwarded
> 3) block any packets WITHOUT a source address
> 4) block any packets that have a source address from within MY network.
> (i.e.. spoofing)
> 5) block any packets coming from a 'broadcast' network
> Steve
>
> ----- Original Message -----
> From: Bruce Stephens <[EMAIL PROTECTED]>
> To: at Linux-Net <[EMAIL PROTECTED]>
> Sent: Sunday, June 06, 1999 19:36
> Subject: Illegal IP addresses???
> > Hi y'all
> >
> > I'm getting a few hits on one of our Linux systems from an external
> > 192.168.x.x address.
> >
> > Now please feel free to correct me but I thought 192.168.x.x addresses
> were
> > not permitted on the Internet!! (Class C range)
> >
> > Yet this firewall is showing the following
> >
> > Jun 7 05:48:53 mitsi kernel: IP fw-in rej ppp0 UDP 192.168.5.192:137 <our
> > IP address>:137 L=78 S=0x00 I=50150 F=0x0000 T=105
> > The hits are in rapid succession (up to 100 trying various IP addresses)
> >
> > Note the port...
> > - netbios-ns 137/tcp nbns
> > - netbios-ns 137/udp nbns
> >
> > so is this is another illegal Windoze system?
> > We have had similar attempts from 192.168.1.65 as well.
> >
> > PS We do use 192.168.0.x addresses ourselves (internally only through a
> > masquerade) but do not use addresses in the 192.168.1.x or 192.168.5.x
> > networks. AND we certainly DON'T use Windoze anywhere. (MacOS and Linux).
> > Your thoughts would be appreciated.
> > Bruce.
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
