At 15:13 2/10/95, Antonio Vasconcelos wrote:
>Hopefully that will never happen if using private addresses as defined by
>rfc1597, ie, between the ranges:
>
> 10.0.0.0 / 10.255.255.255
> 172.16.0.0 / 172.31.255.255
> 192.168.0.0 / 192.168.255.255
>
>And I'm using 192.168.x.x for my internal (non-public) nets.
>
>As someone has said before, most Internet providers should be droping this
>ranges in every router.
Nice theory, but most of the Internet service providers I've talked to are
dead set against doing ANY packet filtering in ANY of their routers,
because of the performance implications. Packets with these addresses that
get into their system are going to go through them (following default
routes) until they reach one of the various cores. For instance, here's
what I get on Alternet:
miles 101 % traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 40 byte packets
1 mv-irx.greatcircle.com (198.102.244.33) 2 ms 2 ms 2 ms
2 uu-irx-fr.greatcircle.com (198.102.244.4) 30 ms 33 ms 445 ms
3 uu-irx-fr.greatcircle.com (198.102.244.4) 32 ms 30 ms 30 ms
4 San-Jose3.CA.ALTER.NET (137.39.27.1) 60 ms 40 ms 31 ms
5 Vienna1.VA.ALTER.NET (137.39.12.1) 130 ms 108 ms 118 ms
6 en-0.ENSS136.t3.ANS.NET (192.41.177.253) 140 ms !H 128 ms !H 132 ms !H
The packet doesn't get rejected until it gets all the way to the ANS core.
-Brent
--
== For info about the Internet Security Firewalls Tutorial and a schedule ==
== of upcoming dates, please send email to Tutorial-Info @
GreatCircle .
COM ==
==============================================================================
== Brent Chapman Great Circle Associates ==
== Brent @
GreatCircle .
COM 1057 West Dana Street ==
== +1 415 962 0841 Mountain View, CA 94041 ==
Follow-Ups:
|
|
