OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Private networks and home.{net|com}
From: Marc Slemko (marcsZNEP.COM)
Date: Wed Feb 09 2000 - 10:27:48 CST

On Tue, 8 Feb 2000, Andersson, Rasmus wrote:

> Yes, there is something you don't completely understand :-)
>
> The private nets are not routed on the Internet. A very good example of
> use for that is link networks, just connecting two or more routers.
> Besides saving public addresses, it adds some security.
>
> In what way does that "destroy the meaning of the concept"? You cannot
> reach that router, and you have no reason for doing that. But that
> router can reach you with ICMP messages if need be. Or route your
> packets.
>
> This is why you should not filter ALL packets from private nets, you
> must let ICMP unreachables and time-exceededs through. Otherwise you
> will break Path-MTU-discovery.

No. This is why systems that generate ICMP messages sent to public IPs
from private source addresses are broken.

It is perfectly legitimate to filter all traffic from private address
space and, in fact, is often a necessary part of a security policy if you
are using those addresses yourself. That is why they are called private
addresses; by their very intent, they will be used at more than one
site. So no site can make presumptions about packets with a private
source address making it to any given remote system.

It is fine to use private IPs for link addresses as long as they never
generate any traffic which is seen by the outside world and which is
sourced from that IP. The moment they do, your network is broken. It is
not the fault of the people that are legitimately filtering such bogus
packets.

In general, I recommend against using private address space for link
addresses for exactly this reason.