[30152] in North American Network Operators' Group
Re: RFC 1918
daemon@ATHENA.MIT.EDU (John Fraizer)
Mon Jul 17 07:32:29 2000
Date: Mon, 17 Jul 2000 07:28:55 -0400 (EDT)
From: John Fraizer <nanog@EnterZone.Net>
To: Bohdan Tashchuk <tashchuk@easystreet.com>
Cc: nanog@merit.edu
In-Reply-To: <39724C3C.555CBBD9@easystreet.com>
Message-ID: <Pine.LNX.4.21.0007170724440.16521-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 16 Jul 2000, Bohdan Tashchuk wrote:
>
> The relevant snippet of my rules on my ingress filter is:
>
> 1) ... block bad things such as unused or spoofed addrs ...
> 2) allow icmp from any to any icmptypes 0,3,4,11,12
> 3) deny ip from 10.0.0.0/8 to any
> 4) deny ip from 172.16.0.0/12 to any
> 5) deny ip from 192.168.0.0/16 to any
> 6) allow tcp from any to any 1024-65535 established
> 7) ... some other rules ...
> 8) deny everything else by default
>
> Line #2 allows relatively benign incoming ICMP, such as "fragmentation
> needed", but hopefully blocks the more problematic stuff.
<SNIP>
> If you take it upon yourself to "filter all RFC1918 usage" from the outside
> world, you (and your customers) will suffer for it. Because it seems to be
> established practice out there.
The ruleset you use is great for a leaf-node. The problem it can
represent on the borders of a larger network is that a lot of nice script
kiddies like to spoof their source as RFC1918 space and since ICMP is 8
times out of 10 their payload, using such on the edges exposes the core
(and potentially some poor customer of yours on a DS1, etc) to whatever
level of hate-and-discontent you're capable of accepting on the borders.
---
John Fraizer
EnterZone, Inc
