From owner-freebsd-security  Mon Aug 17 21:40:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA28283
          for freebsd-security-outgoing; Mon, 17 Aug 1998 21:40:27 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.129.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA28272
          for <freebsd-security@FreeBSD.ORG>; Mon, 17 Aug 1998 21:40:10 -0700 (PDT)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id GAA00740;
	Tue, 18 Aug 1998 06:35:41 +0200 (CEST)
To: jaitken@dimension.net
cc: sthaug@nethelp.no, girgen@partitur.se, freebsd-security@FreeBSD.ORG
Subject: Re: private network on router's external NIC? 
In-reply-to: Your message of "Mon, 17 Aug 1998 20:18:14 EDT."
             <199808180018.UAA14592@gizmo.dimension.net> 
Date: Tue, 18 Aug 1998 06:35:41 +0200
Message-ID: <738.903414941@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199808180018.UAA14592@gizmo.dimension.net>, Jeff Aitken writes:
>sthaug@nethelp.no writes:
>> > Makes sense to me. So, how do these ip numbers get out on the Internet?
>> > How do they get routed anywhere; they're supposed to be private?
>
>Those addresses are only private because we all consider them to be.
>There's nothing stopping an ISP from telling the world "The
>10.0.0.0/8 network is reachable via ME!".  Hell, there have been
>people who have announced "Hey, the ENTIRE INTERNET is reachable
>through ME!". ;-)

But any moderately experienced BGP-gaffer will know not to accept any
routes for:

	neighbor x.x.x.x distribute-list 4 in

	access-list 4 deny   0.0.0.0
	access-list 4 deny   10.0.0.0 0.255.255.255
	access-list 4 deny   172.16.0.0 0.0.15.255
	access-list 4 deny   192.168.0.0 0.0.255.255
	access-list 4 deny   127.0.0.0 0.255.255.255
	access-list 4 deny   <mynet0> <mynetmask0>
	access-list 4 deny   <mynet1> <mynetmask1>
	access-list 4 deny   <mynet2> <mynetmask2>

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message