[25263] in North American Network Operators' Group
Re: Martian list of IP's to block???
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Sat Oct 2 08:26:45 1999
To: jabley@patho.gen.nz
Cc: rfuller@3x.com, jmbrown@ihighway.net, nanog@merit.edu
From: sthaug@nethelp.no
In-Reply-To: Your message of "Sun, 3 Oct 1999 00:13:53 +1200"
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Sat, 02 Oct 1999 14:25:36 +0200
Message-ID: <92071.938867136@verdi.nethelp.no>
Errors-To: owner-nanog-outgoing@merit.edu
> > deny ip 10.0.0.0 0.255.255.255 any log
> > deny ip 172.16.0.0 0.15.255.255 any log
> > deny ip 192.168.0.0 0.0.255.255 any log
>
> These three clauses will block things like ICMP would-fragment and
> ttl-expired messages, in the event that some transitory bit of network
> between your customer and someone else's customer is numbered using
> RFC1918 address space (and causes such messages to be sent).
>
> I know of several networks which use RFC1918 addresses like this,
> in the belief that since the elements with these numbers never
> need to receive a packet from anybody outside the operator's network,
> there is no need for the numbers to be globally unique.
Unfortunately, they're wrong.
> In my opinion, such RFC1918 visibility in the public network is
> misguided, and half of the disruption to service caused by rules
> like those above could be considered just punishment.
Agreed.
> Trouble is, the other half of the disruption is for your customers,
> and you know who they're going to blame if they can't reach their
> favourite repository of huge flesh-tone jpegs.
>
> Operational content: does anybody actually block packets inbound
> from off-net, in the case where they are sourced from an RFC1918
> address? If so, do your customers complain?
We (UNINETT, AS224) block RFC 1918 source addresses on our border
routers, and have been doing so for a couple of years now. We have
had zero complaints about this. We certainly intend to continue.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
