Why on earth would anyone let any of the following networks in to their
network at the border?
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Hell, for that matter, I block anything claiming to be from our networks as
well. There's no way they'll be originating from the outside unless it's
spoofed.
Nothing and I mean NOTHING claiming to be from any of them at your border
is valid.
John Fraizer wrote:
Why on earth would anyone let any of the following networks in to their
network at the border?10.0.0.0/8
172.16.0.0/12
192.168.0.0/16Hell, for that matter, I block anything claiming to be from our networks as
well. There's no way they'll be originating from the outside unless it's
spoofed.Nothing and I mean NOTHING claiming to be from any of them at your border
is valid.
Define "network border." I used to block all traffic from or to RFC1918
addresses, but my present upstream is using 10.0.0.0/8 and
172.16.0.0/16, at least, for their internal use. So, the IP address of
the WAN interface on my router connecting to them has a 10.0.0.0/8
address. If I block incoming traffic to 10.0.0.0/8, they can't monitor
my net.
It appears this is becoming the preferred way for ISPs to limit their
use of address space for internal-only functions. While this makes sense
at some levels, attached corporate networks may have already used those
addresses. The result is some level of confusion, though for the most
part it doesn't break too many things. Mostly, it's just annoying since
firewalls can't filter out stuff they'd otherwise limit.
In cases where ISPs use RFC1918 addresses within their networks, they
really should:
- Tell their downstream customers WHICH of these blocks are in use.
- Provide filters at peering points that ensure RFC1918 addresses from
outside the ISP's space do not come in from outside.
- Provide Ingress filtering at all downstream customer ports to ensure
only valid source IP addresses come from their customers.
Dan
Actually, if you have a multihomed customer with your address space and
their link to you goes down, you could legitimately receive traffic from
your address block across external links if they then access hosts on
your network via other connections.
However, allowing that opens your network up to be spoofed and so it is
commonly accepted practice to block internal address coming in over
transit/peering links. If someone wants to multihome, they really need to
have their own address block to take full advantage of it anyway.
You have an anlogous problem if you filter inbound customer links, in that
if they are multihomed and have address space from another ISP, you have to
allow those addresses in your filters. If they provide transit, you either
need to have everything downstream for them or just punt (perhaps only
blocking your address space that you didn't assign to them).
John A. Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
256/705-7007 - FAX 256/705-7100 Huntsville, AL 35801