Hi, VaX#n8 wrote: [..] > Consulting > <URL:ftp://ftp.isi.edu/in-notes/iana/assignments/ipv4-address-space> > one finds that there are several classes of reserved addresses, > distinct from the private addresses codified in the related RFCs: [..] > It may be worthwhile to generate list of all address blocks not > recently routed and construct a filter based on those. This list will be very large due to the highly fragmented nature of 192/8, for example, and will be ever-changing. As long as there is no automatized way to generate this list, for example by a routing registry like "whois.ra.net", but more complete and better authenticated against erroneous objects, this is doomed to fail due to high maintenance efforts. On the other hand, I can only urge every internet service provider out there to carefully read RFC2267 ("Network Ingress Filtering") and apply strong filters to all customer lines. After all, you KNOW very exactly which IP addresses this customer is using (you route them to him), so you can easily filter all packets with other source addresses. While this won't immediately have any benefits to your network, it has enormous benefits to everybody else -- they can't be attacked by your customers any more. (Thanks to Alan Cox for pointing this out to me, and to Paul Ferguson for writing the RFC about it!). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gertat_private fax: +49-89-35655025 gert.doeringat_private-muenchen.de
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:47 PDT