[Re: [nsp] 192.168.x.y from upstream]

Joshua Smith joshua.ej.smith at usa.net
Mon Mar 10 11:03:47 EST 2003 

for some discussion and thoughts on how to deal with bogons, check out

http://www.cymru.com/Bogons/index.html

*please note i am not trying to start a flame-war, i do this on my 
network, and i don't care that you may not.  

thanks

joshua

Rivo Tahina RAZAFINDRATSIFA <r.tahina at dts.mg> wrote:
> Thank you!
> A 13:02 10/03/03 +0000, vous avez écrit :
> >
> >On Mon, 10 Mar 2003, Gert Doering wrote:
> >
> >> On Mon, Mar 10, 2003 at 02:42:01PM +0300, Rivo Tahina RAZAFINDRATSIFA
> wrote:
> >> > Why do I receive something from private IP address such as 192.168.
> from my
> >> > upstream?
> >> 
> >> Because many ISPs are lazy and do not properly filter packets before
> >> the packets leave their networks.
> >
> >Indeed, altho at one time this setup was encouraged when we thought IP
> space was 
> >scarce! 
> >
> >But do NOT ever filter this on your core network or you will break things
> that 
> >the RFC1918 sourced packets may be carrying - most significantly pMTU
> conveyed 
> >with ICMP. 
> >
> >The most prominent site I was aware of using RFC1918 internally that
> breaks if 
> >you filter RFC1918 ingress and then use <1500 MTU was bt.com (amongst
> others). 
> >The problem being a lot of companies use private addresses behind
> firewalls and 
> >do not include them in dynamic NAT configs etc falsely assuming these
> systems 
> >will never send packets to the Internet.
> >
> >> Proper network management consist of (relating to RFC1918 only):
> >> 
> >>  - don't use RFC 1918 addresses for the ISP backbone networks
> >>    (because traceroute and other ICMP responses might end up being
> >>    sent with those addresses, which violates RFC 1918)
> >
> >Absolutely, this is a violation of RFC1918..
> > 
> >>  - filter your customer access lines so that customers can only generate
> >>    packets with source IPs that belong to them ("anti-spoofing"), see
> >>    also RFC 2827 "Network Ingress Filtering".
> >
> >Good anti-DDoS measure this..
> >
> >Steve
> >
> >> 
> >> gert
> >> 
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >http://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

More information about the cisco-nsp mailing list