[30140] in North American Network Operators' Group
Re: RFC 1918
daemon@ATHENA.MIT.EDU (Bohdan Tashchuk)
Sun Jul 16 20:01:17 2000
Message-ID: <39724C3C.555CBBD9@easystreet.com>
Date: Sun, 16 Jul 2000 16:58:52 -0700
From: Bohdan Tashchuk <tashchuk@easystreet.com>
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
> Though technically you're right, this kind of attitude is exactly the
> problem. Everyone should filter all RFC1918 usage on public links,
> regardless of whether they themselves use is, or their customers use it,
> or not. To not do such filtering is to be a bad neighbour.
I'm just a home DSL user, and usually a fly on the wall for this mailing
list.
But I've found it beneficial to make a practical exception to your blanket
condemnation of RFC1918 source addresses. I don't think there is much harm
to it.
The relevant snippet of my rules on my ingress filter is:
1) ... block bad things such as unused or spoofed addrs ...
2) allow icmp from any to any icmptypes 0,3,4,11,12
3) deny ip from 10.0.0.0/8 to any
4) deny ip from 172.16.0.0/12 to any
5) deny ip from 192.168.0.0/16 to any
6) allow tcp from any to any 1024-65535 established
7) ... some other rules ...
8) deny everything else by default
Line #2 allows relatively benign incoming ICMP, such as "fragmentation
needed", but hopefully blocks the more problematic stuff.
I added this exception for a very practical reason. Without it there were
many routers, generating ICMP messages using RFC1918 source addresses,
whose error messages were important, but that I dropped at the firewall.
Interestingly, these messages passed thru MANY intermediate routers that
didn't block packets with RFC1918 source addresses.
If you take it upon yourself to "filter all RFC1918 usage" from the outside
world, you (and your customers) will suffer for it. Because it seems to be
established practice out there.
Of course I never send packets to the Internet with an RFC1918 address in
them.
