North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: address spoofing

  • From: Greg A. Woods
  • Date: Sat Apr 24 13:04:17 1999

[ On Friday, April 23, 1999 at 21:25:29 (-0500), Phil Howard wrote: ]
> Subject: Re: address spoofing
> 
> So are you making a case to allow RFC1918 source addresses out into the
> network?

Huh?  No, I thought I was saying very much the opposite!  I don't want
my upstream provider to use RFC1918 on inter-router links, but they do
anyway.  I'd like them to filter those addresses too, but they won't.

> How do you hide an IP network?

If you do all your internal routing over ATM or FR virtual circuits then
you won't need to (and in fact cannot) use IP numbers for those circuits
-- it all looks like the physical layer from IP's perspective (the
theory being that if you don't need IPs for inter-router links then you
won't be using precious unique IPs and feel the pressure to use RFC1918
numbers instead).  I'm certainly no expert at this, but from the outside
I've seen it done quite successfully.  It sure cuts down on the hop
count visible from traceroute too!

It's damn near impossible to debug from the outside, of course, but
sometimes that's desirable!  ;-)

> If you're proposing another set of addresses be reserved for uses like
> this, then I'd be in favor of it with you.  Using RFC1918 is certainly
> not the best way to do this, but using allocated space is no better as
> long as allocations are tight.

Using any other set of reserved addresses would have exactly the same
problem as using RFC1918 addresses has.  The only two viable options are
to either use globally unique addresses, or not to use any IP routing
internally at all.

> People don't know how to separate their internet DNS from intranet DNS.
> Or maybe they don't want to put the money into that kind of structure.
> If BIND could be modified to deliver different results depending on the
> source of the request, or it's interface, then it might become easy for
> people to setup DNS to avoid this.

Yes, it can be done, but even I am not yet using the latest software,
which makes this much easier, on all the machines I manage.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <[email protected]>      <robohack!woods>
Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]>