Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Martian list of IP's to block???

  • From: Joe Abley
  • Date: Sat Oct 02 08:17:52 1999

On Fri, Oct 01, 1999 at 08:02:23AM -0400, rfuller@3x.com wrote:
>     deny   ip 10.0.0.0 0.255.255.255 any log
>     deny   ip 172.16.0.0 0.15.255.255 any log
>     deny   ip 192.168.0.0 0.0.255.255 any log

These three clauses will block things like ICMP would-fragment and
ttl-expired messages, in the event that some transitory bit of network
between your customer and someone else's customer is numbered using
RFC1918 address space (and causes such messages to be sent).

I know of several networks which use RFC1918 addresses like this,
in the belief that since the elements with these numbers never
need to receive a packet from anybody outside the operator's network,
there is no need for the numbers to be globally unique.

In my opinion, such RFC1918 visibility in the public network is
misguided, and half of the disruption to service caused by rules
like those above could be considered just punishment.

Trouble is, the other half of the disruption is for your customers,
and you know who they're going to blame if they can't reach their
favourite repository of huge flesh-tone jpegs.

Operational content: does anybody actually block packets inbound
from off-net, in the case where they are sourced from an RFC1918
address? If so, do your customers complain?


Joe





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.