From: Leonardo Gebbia (gebbia@xxxxxxx)
Date: Thu Jul 20 2000 - 13:27:35 GMT-3
Hi,
I would like to ask you one question, regarding reserved IP addresses.
I'm working on an ISP's backbone security.
I'm trying to find out all the entries for the ingress and egress
antispoofing ACL.
Dealing with ingress ACL, we should apply this policy:
Router(config)#access-list 10 deny <ISP address plan>
Router(config)#access-list 10 deny <all IP address reserved> (I'm not really
sure about it)
Router(config)#access-list 10 deny 0.0.0.0 0.255.255.255 (Historical
Broadcast)
Router(config)#access-list 10 deny 10.0.0.0 0.255.255.255 (private
addresses)
Router(config)#access-list 10 deny 127.0.0.0 0.255.255.255 (loopback)
Router(config)#access-list 10 deny 169.254.0.0 0.0.255.255 (Link Local
Networks)
Router(config)#access-list 10 deny 172.16.0.0 0.15.255.255 (private
addresses)
Router(config)#access-list 10 deny 192.0.2.0 0.0.0.255 (TEST-NET)
Router(config)#access-list 10 deny 192.168.0.0 0.0.255.255 (private
addresses)
Router(config)#access-list 10 deny 224.0.0.0 31.255.255.255 (multicast,
class E, broadcast)
Router(config)#access-list 10 permit any
My question is:
Must we deny all the traffic coming from a source belonging to an IP
reserved address, or only some reserved netwoks?
In case we must deny only some reserved networks, do you know which one of
them?
All IP reserved are listed in RFC 1166.
Is there any RFC that updates the previous one?
I have found a web site http://ipindex.dragonstar.net/ in which are
specified all IP addresses. The information included in this site is a bit
different from the one in RFC 1166. Which is the good one?
Thank you and Best Regards.
Leonardo Gebbia
I.C.T. Consulting S.r.l.
Via V. Pisani 22, 20124 Milano, Italy
mobile +39 0335 7424953
office +39 02 67642250
fax +39 02 67642243
e-mail: mailto:gebbia@ictc.it
winmail.dat
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:56 GMT-3