RE: egress/ingress filtering

[shewitt () cdw com]

I was just looking over the internet draft referenced below, and I was
confused with the access-list example given in the document.  

This is an excerpt from the internet draft:

        4. Access Control suggestions:

        In todays network, it is prudent to control access. In the case of
these
        special use prefixes, it is generally a good idea to filter them so
they
        do not propagate. After all, you don't want someone else's use of
these 
        prefixes to taint your environment. All of these address classes
should be 
        invalid as source addresses (except where negotiated in advance),
and very 
        few should be permitted as destination addresses (Multicast for
example, 
        should be permitted as a destination, just not as a source).  An
example of 
        one form of access control is listed below:
        
        ...
        access-list 100 deny   ip host 0.0.0.0 any
        access-list 100 deny   ip 127.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
        access-list 100 deny   ip 10.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
        access-list 100 deny   ip 172.16.0.0 0.15.255.255 255.240.0.0
0.15.255.255
        access-list 100 deny   ip 192.168.0.0 0.0.255.255 255.255.0.0
0.0.255.255
        access-list 100 deny   ip 192.0.2.0 0.0.0.255 255.255.255.0
0.0.0.255
        access-list 100 deny   ip 169.254.0.0 0.0.255.255 255.255.0.0
0.0.255.255
        access-list 100 deny   ip 240.0.0.0 15.255.255.255 any
        access-list 100 permit ip any any
        ...

If it is representing Cisco IOS syntax, and we analyze one of the lines:
        access-list 100 deny   ip 127.0.0.0 0.255.255.255 255.0.0.0
0.255.255.255
Doesn't this say: 
        Deny all traffic with a source IP address in the range 127.0.0.0/8
and a destination address of 255.0.0.0/8?

If we wanted to deny all traffic with a source of 127.0.0.0/8 OR to deny all
traffic with a destination address of 127.0.0.0/8 we'd have to use two
separate access-list lines:
        access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
        access-list 100 deny   ip any 127.0.0.0 0.255.255.255

Can somebody confirm my confusion, or please clear this up for me?

Thanks!

--Scott Hewitt


-----Original Message-----
From: Irwin R. Naumann [mailto:irwin () thinkage ca]
Sent: February 15, 2001 01:08 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] egress/ingress filtering


I know that one should do egress/ingress filtering on one's network
border(s)
of the private networks described in RFC1918 (10.0.0.0/8, 172.16.0.0.0/12,
192.168.0.0/16) and anti-spoofing of one's own address blocks.

Bill Manning expanded this list to include:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
169.254.0.0/16
all D/E space (with a caveat on Class D - multicast address space)
in http://search.ietf.org/internet-drafts/draft-manning-dsua-06.txt.

Is there an RFC or internet draft other than Bill Manning's that documents
special prefixes?

Are these ALL the special prefixes?

Why aren't "IANA - Reserved" blocks as found in 
http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
included in egress/ingress filtering examples?

  Irwin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards