Re: egress/ingress filtering

["Crist Clark" <crist.clark () globalstar com>]

"Irwin R. Naumann" wrote:

[snip]

> How does one find out "_why_ that block is reserved"? I can look at the
> Internet Protocol Address Space document and it describes the current
> address space allocation.I realize we're fast approaching the exhaustion
> of the IPv4 address space. What was reserved yesterday is allocated today.
>
> Filter rules need to be maintained. Isn't this another facet of maintaining
> these rules?

RFC1918 and the Manning draft outline pretty much all of the addresses
that are reserved and never to be used as registered, unicast addresses.
There are also blocks of IPv4 that are in use, but not actually on the 
Internet. There are some partial lists of those.

But I guess the point in my first mail did not make it through. There
really is no great benefit in blocking reserved addresses. Since traffic
will generally not be routed back to the source, the types of attacks
done when using a reserved address as the source IP are very limited.
DoS, especially DDoS, attacks would probably be the main concern. 
However, for the attacker, it is just as easy to spoof registered
addresses as a reserved address. The attacker can chose only to spoof
registered addresses, and any rules you have to block reserved 
addresses are of no assistance. If the attacker is generating totally
random sources, your reserved filters only cover a minute portion of
IPv4 space, and would reduce the total traffic passing through the 
router one or two percent at a _maximum._ This is really not enough
to mitigate the effects of such an attack.

So, to say it one more time, I do not feel it is worth the effort
to put the time into researching and tracking anything beyond
RFC1918 and the Manning draft.

And note that this is only a concern for ingress filters. For egress
filters, you know what your valid source addresses are. All reserved
addresses would be blocked by default since they would not be part
of your valid source address pool.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards