On Thu, Sep 20, 2007 at 11:25:38AM -0400, Tim Shoppa wrote: > > Is it really the responsibility of the network layer to check the > "from" address and see it's nonsensical?
It is considered a best practice to do so. See BCP38, aka RFC2827 <ftp://ftp.rfc-editor.org/in-notes/rfc2827.txt>. I've personally had one-way tunnels broken when reverse path is implemented, but I still think its quite worth it. Also, RFC1918-space should never appear on the internet. Quoting RFC1918: Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error. Indirect references to such addresses should be contained within the enterprise. Prominent examples of such references are DNS Resource Records and other information referring to internal private addresses. In particular, Internet service providers should take measures to prevent such leakage. There is a good chance that any 1918-sourced packets coming out of a network were /never/ intended to go to the Internet. Dropping them is probably a service to the network sending them, in preventing possible information leaks. In addition, I'd argue that any firewall which allows packets with a source-ip on the LAN side to come through the WAN interface is broken or misconfigured (with maybe some very special case exceptions). Not only do people sometimes use IP-based authentication (still), but the response packets will be going to one of your machines, if anywhere. You don't want to allow an attacker to cause you to send packets to an arbitrary inside machine. _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
