On Fri, May 25, 2001 at 11:56:03AM -0400, Alan Cox wrote: > > private addresses routed to or addressed to outside of your local > > address and boarder gateways SHOULD filter out anything that has a > > source address of a private address space, but, baring "policy routing", > > stock routing does not take the source address into consideration in > > the routing tables. Lack of filtering? Maybe... Debatable. > > Hopelessly messed up routing tables? Not. > Invalid configuration - yes. Since ICMP's from the bogus 10.* addresses might > be important ones that you screen (path mtu for example). Also you have to > block external 10.* traffic if you are using 10.* internally as you may get > errors on your network caused by beliving an ICMP redirect escaped from their > net Oh... Agreed... Absolutely! (It's just not a "routing" configuration error. It's an issue for filtering, not routing.) But invalid configuration where? At their perimeter? Probably. They should not emit references to RFC 1812 addresses to the net, but then again, they should not emit ANY source addresses which can not be routed back to them (anti spoofing filtering). But maybe they don't have any such filtering in place (Yes, Alan, I realize that MOST routers have filtering capabilities. I also know that a lot of them don't have additional capacity in terms of table size or CPU load. Unfortunate but reality.) At your perimeter? Probably. Why would you be allowing any source address into your network which could not possibly be routed back out (like packets coming in with internal source addresses). Again... Anti spoofing rules. Again... Perimeter router filtering capacity. At the border gateways? Probably. Why should anything be allowed into the core Internet which can not be reverse. But the border gateways are REALLY overloaded and it's not a simple problem. Reality... It's going to show up. If you need to protect your references and uses to RFC 1812 addresses, it's going to fall on you to filter out external packets with those source addresses, simply because you can NOT rely on anyone else to do it for you. Rule of thumb in security in general (and applicable here), you can't rely on "the other guy" to "do the right thing". The incompetant won't and the malicious are sure to do the opposite. But this has gotten way off topic for this list. :-)=) Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
