mailing list archives
Re: Removing ping/icmp from a network
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 1 Apr 2008 14:13:39 +0200
On 2008-03-29 Michael Painter wrote:
On Friday, March 28, 2008 6:44 AM Ansgar -59cobalt- Wiechers wrote:
On 2008-03-27 Michael Painter wrote:
I'm not sure what 'clean' means, but I'm not supposed to see 10/8
addresses on the "Internet".
You aren't seeing them "on the Internet".
Poor choice of words, maybe? How about via the Internet?
Anyway, there are (at least) two schools of thought on this, as shown
by this thread from NANOG.
(From RFC 1918)
Because private addresses have no global meaning, routing
information about private networks shall not be propagated on
inter-enterprise links, and packets with private source or
destination addresses should not be forwarded across such links.
Routers in networks not using private address space, especially
those of Internet service providers, are expected to be
configured to reject (filter out) routing information about
Traceroute results don't qualify as routing information (that would be
BGP, OSPF, or RIP data), and the private addresses only shows up as the
source address of the "time exceeded" packet. You'll note that the RFC
doesn't require, but only recommends not forwarding packets with private
source addresses, so there's no real violation of RFC 1918 here. I'll
agree that it is a bad practice, though.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq