[c-nsp] dropping traffic for RFC3330 networks

Ted Mittelstaedt tedm at toybox.placo.com
Tue Aug 29 05:59:30 EDT 2006 

----- Original Message ----- 
From: <lee.e.rian at census.gov>
To: "Michael K. Smith" <mksmith at adhost.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, August 28, 2006 9:20 PM
Subject: Re: [c-nsp] dropping traffic for RFC3330 networks


> Hi  Mike,
>
> I had a couple of mistakes in the list - here's a corrected copy
>
> ip route 0.0.0.0       255.0.0.0     null0
> ip route 10.0.0.0      255.0.0.0     null0
> ip route 127.0.0.0     255.0.0.0     null0
> ip route 128.0.0.0     255.255.0.0   null0
> ip route 169.254.0.0   255.255.0.0   null0
> ip route 172.16.0.0    255.240.0.0   null0
> ip route 191.255.0.0   255.255.0.0   null0
> ip route 192.0.0.0     255.255.255.0 null0
> ip route 192.0.2.0     255.255.255.0 null0
> ip route 192.168.0.0   255.255.0.0   null0
> ip route 198.18.0.0    255.254.0.0   null0
> ip route 223.255.255.0 255.255.255.0 null0
> ip route 240.0.0.0     240.0.0.0     null0
>
>
> "Michael K. Smith" <mksmith at adhost.com> wrote on 08/28/2006 07:07:51 PM:
>
> > Check out http://www.cymru.com/Documents/bogon-dd.html for an updated
> list
> > of all the bogons in various forms (decimal, Cisco ACL, etc.)
>
> I did - and didn't see things like 128.0.0.0/16 and 192.0.0.0/24 which I
> don't think are valid Internet addresses.
>
> >  The only
> > caveat is you want to keep abreast of when changes are made by the
> various
> > Registrars to add announcements to the global routing tables.  If you
> don't
> > keep abreast you can end up blackholing legitimate traffic.
>
> I'd rather not put us in a position where someone would have to monitor
> net.block assignments to keep the list up to date.  My guess is that we'll
> all be using IPv6 before anything on my list becomes a valid Internet
> destination address.
>

I very much doubt that.  The networks that really need lots of IP numbers
like the cell phone networks and such, have already gone to IPv6 and
are using gateways to the IPv4 network.  And while the IP engineers
continue to believe that NAT is nothing more than a transition device,
it has become integrated into firewalling, and it is extremely unlikely that
most corporations that are not exchanging BGP to multiple providers on the
Internet will switch away from RFC1918 private addresses.

You need to take a look at the following:

http://bgp.potaroo.net/ipv4/

This is one of the most current reports out there.  According to
projections we will run out of IPv4 in 2012.  However, the paper's
author makes a point that the approach of the exhausted IPv4 is
going to put pressure to reclaim space in the unadvertised blocks,
such as many in the 128.x.x.x block

But more importantly, I think your missing the point about this kind
of filtering to begin with.  Don't you realize how loose many networks
are?  For example, we just acquired a smaller ISP that is being fed
by Cogent communications, and I discovered during the integration
program that Cogent allows them to source IP addresses that aren't
allocated to them - I can send IP traffic sourced from our IP blocks,
into the Cogent network, and have it go out onto the Internet and the
response packets come back into my network.

If your only filtering the obvious ones like you listed above,
then many networks will allow an attacker to source a DDoS
attack against you from any IP address listed in the
unadvertised list here:

http://bgp.potaroo.net/ipv4-stats/prefixes_unadv_pool.txt

Ted

More information about the cisco-nsp mailing list