RE: Private addresses on public network
From: Burton M. Strauss III (bstrauss3@attbi.com)Date: 07/30/02
- Previous message: Paul Devisser: "Re: Increase in Internet activity in Windows"
- In reply to: Octavio / Super: "Private addresses on public network"
- Next in thread: Felipe : "Re: Private addresses on public network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Burton M. Strauss III" <bstrauss3@attbi.com> To: <security-basics@securityfocus.com> Date: Tue, 30 Jul 2002 15:32:28 -0500
First off, your ISP's border router SHOULD be programmed to reject these
(spurious)(un-authorized) addresses.
For simplicity sake:
upstream...................................................downstream
"the internet"----ISProuter1-----ISPnetwork-------ISProuter2-----You
ext int int ext
And, say the ISP has address a.b.c.0/24 of which you are given a.b.c.224/28
(that is a.b.c.224 -> a.b.c.239, with .225 -> .238 usable).
At the very least there should be basic spoofing filters in place by your
ISP.
ISProuter1 ext filter should prohibit receiving packets originating from the
RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and it's
own address range, a.b.c.0/24
ISProuter1 ext filter should prohibit sending packets originating from the
RFC 1918 range and everything BUT a.b.c.0/24.
ISProuter1 int filter should prohibit receiving packets EXCEPT from the
isp's a.b.c.0/24 range.
ISProuter1 int filter should prohibit sending packets EXCEPT to the isp's
a.b.c.0/24 range.
Similar filters on ISProuter2, but more restrictive (e.g. ext is limited to
YOUR a.b.c.224/28 range).
With that filtering, anything you place on your network should NOT be
routed. Even addresses not assigned to you.
It's a VERY bad practice, but it shouldn't be visible to anyone
else.
Reason it's bad? There are protocols (BGP, OSPF, etc.) which monitor
networks and share routing information among routers.
Say you put d.e.f.111 on your network, exposed to the ISP's routers. If
those filters aren't in place, (and not all ISPs practice good filtering),
it's possible for the ISP's routers think they have a great (i.e. fast)
route to that address and to share the "route" to d.e.f.111 with it's peers.
Now it's not usually a problem for a few addresses, but if the ISP's routers
start aggregating (gee, I know d.e.f.111 and d.e.f.222, I bet I know
d.e.f.0/24) these routes and claiming "I've got really good connectivity" to
this (large) block of addresses, you run the risk of having that route
shared among many ISP's routers (and the mythical Internet backbone) and
"black holing" whomever really "owns" d.e.f.111.
Don't do it.
If you want to use private addresses which aren't exposed to the world, use
the RFC 1918 addresses - that's what they are defined for!
-----Burton
-----Original Message-----
From: Octavio / Super [mailto:alvarezp@doogie.ods.org]
Sent: Monday, July 29, 2002 1:08 PM
To: security-basics@securityfocus.com
Subject: Private addresses on public network
Hello, everybody!
Let's say I have a network, whose computers are connected directly to the
Internet (meaning that when they have a public IP address, they can connect
to any place, with no firewall or NAT in between (only the corresponding
router)).
Now, let's say that I set some (or all, whatever) of those computers to have
an IP address which does not correspond to my block, (either standard
private addresses (e.g. 192.168.x.x) or any other non-standard IP address
(e.g. 92.0.x.x which must belong to somebody)).
Q: Is there any way of connecting to them from an external network? I mean,
are they exposed to any security threat as if they were configured with
their [normal] public IP address?
Thanks.
Octavio.
--- Visita http://doogie.ods.org/ (Revisada: 2002.01.04) /*************************************************** Octavio Alvarez (aka: Super, Doogie) ICQ# 42020731. MSN_ID: alvarezp2000@h0tmail.com ***************************************************/
- Previous message: Paul Devisser: "Re: Increase in Internet activity in Windows"
- In reply to: Octavio / Super: "Private addresses on public network"
- Next in thread: Felipe : "Re: Private addresses on public network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
