RE: RFC 1918 filtering on ISP Edge router

From: Kenneth Wygand (KWygand@customonline.com)
Date: Sun Apr 25 2004 - 03:38:28 GMT-3

• Next message: Kenneth Wygand: "RE: OSPF Auth + PPP Auth"
• Previous message: Jamie Sanbower: "OSPF Auth + PPP Auth"
• Maybe in reply to: Carlos Marchini: "RFC 1918 filtering on ISP Edge router"
• Next in thread: ccie2be: "Re: RFC 1918 filtering on ISP Edge router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anna,

Please read below. All this information is in the original document, "Router
Security

Configuration Guide" published by SNAC and NSA. I'd attach the document but
Groupstudy doesn't accept attachments, so you can download the document from
the following link:

http://nsa2.www.conxion.com/cisco/download.htm

<snip>

IP Address Spoof Protection

The filtering suggestions in this sub-section are applicable to border
routers, and most

interior routers. With backbone routers, it is not always feasible to define
'inbound'

and 'outbound'.

Inbound Traffic

Do not allow any inbound IP packet that contains an IP address from the
internal

network (e.g., 14.2.6.0), any local host address (127.0.0.0/8), the link-local
DHCP

default network (169.254.0.0/16), the documentation/test network
(192.0.2.0/24), or

any reserved private addresses (refer to RFC 1918) in the source field. Also,
if your

network does not need multicast traffic, then block the IP multicast address
range

(224.0.0.0/4). Apply this access list to the external interface of the router,
as shown

in the transcript below.

</snip>

Let me know if I can be of any further help!

Kenneth E. Wygand
Systems Engineer, Project Services

CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.

"I am not really smart. I just stick with problems longer."
-Albert Einstein

Custom Computer Specialists, Inc.

"Celebrating 25 Years of Excellence"

-----Original Message-----
From: Annu Roopa [mailto:annu_roopa@yahoo.com]
Sent: Saturday, April 24, 2004 11:21 PM
To: Kenneth Wygand; Carlos Marchini; ccielab@groupstudy.com
Subject: RE: RFC 1918 filtering on ISP Edge router

Kenneth & group,

Can someone shed some more light on what theses addresses are and who uses
them -i mean which protocol or application. What's their use ? Could not find
info on this.

East(config)# access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
East(config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
East(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log

Also in some Cisco documents it says block all Microsoft reserved
addresses.Which of are these so that they cover them all.

Thanks for your answers.

Annu.

  _____

Do you Yahoo!?
Yahoo! Photos: High-quality
<http://pa.yahoo.com/*http:/us.rd.yahoo.com/evt=23765/*http:/photos.yahoo.c%0
d%0aom/ph/print_splash> 4x6 digital prints for 25"

[GroupStudy removed an attachment of type image/gif which had a name of image001.gif]

• Next message: Kenneth Wygand: "RE: OSPF Auth + PPP Auth"
• Previous message: Jamie Sanbower: "OSPF Auth + PPP Auth"
• Maybe in reply to: Carlos Marchini: "RFC 1918 filtering on ISP Edge router"
• Next in thread: ccie2be: "Re: RFC 1918 filtering on ISP Edge router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3