[c-nsp] something a little different rfc1918 from transit networks?
David Freedman
david.freedman at uk.clara.net
Tue Nov 13 10:03:56 EST 2007
Drew Weaver wrote:
> SLOT 6:Nov 12 17:10:36.121 EST: %SEC-6-IPACCESSLOGP: list 175 denied tcp 192.168
> .1.2(0) (GigabitEthernet2 ) -> ip.add.re.ss(0), 1 packet
> SLOT 10:Nov 12 17:10:39.841 EST: %SEC-6-IPACCESSLOGP: list 175 denied tcp 192.16
> 8.1.2(0) (GigabitEthernet0 ) -> ip.add.re.ss(0), 1 packet
>
> This is the first time I can say I've ever seen this, I'm assuming its spoofed but I'm not going to rule anything out here.
>
> Lets say that slot 6/2 is connected to one transit carrier and slot 10/0 is connected to another transit carrier (which is the case)
This is normal, somebody reachable via your upstream (posibly a
downstream or peer without uRPF configured) has been sending packets
sourced from these addresses.
>
> I'm trying to figure out if those 192.168.1.2 packets that my ACL 175 are denying are actually SRC'd from 192.168.1.2 or they're spoofed,
> is there anyway to know that for sure?
Of course they are sourced from 192.168.1.2, in so much as somebody has
created packets with this as the source address and their network
provider has not filtered them.
>
> Any thoughts or advice?
Its normal, providing you filter RFC1918 as part of your standard bogon
filtering you shouldn't need to lose any sleep over it.
Dave.
>
> Thanks,
> -Drew
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list