This is one of the reasons I do not feel confortable with just one of the cheap routersin between you and your ISP -- there is no guarantee your ISP will filter RCF 1918 addresses out, nor that these routers will. You are better off assuming it is up to you to filter them out. In fact, these routers will _not_ filter it, since they themselves cannot know what IP ranges should, or should not, be allowed in or out. This is, right now, the trade-off on paying $50 for a (say) LinkSys router, as opposed to $600 up for a Cisco. AFAIK, the best option would be to have the router (LinkSys, NetGear, etc) PLUS a firewall correctly configured to drop the addresses. One detail here -- depending on your ISP, you have to allow for incoming RCF1918 source addresses on ICMP responses, if you want traceroute to report all hops. My ISP, for example, has a lot of routers on the 10.0.0.0 network. ----- Original Message ----- From: "James C. Slora Jr." <Jim.Sloraat_private> To: "Andrews, Jonathan (US - Hermitage)" <joandrewsat_private>; <incidentsat_private> | Private addresses _should_ not be routed. They can be and are routed with | frustrating regularity. I get (and filter of course) private address traffic | from: | ISP's equipment | Forged packets | Overloaded remote NAT devices or firewalls | Misconfigured NAT | Misconfigured complex Web sites | | Some ISPs filter it out and some don't. | | > If so, this would have to be something on your internal network | broadcasting | > this traffic. | | Probably so, but not necessarily. Depends on whether private addresses were | effectively filtered upstream of the network reporting the alert. | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 09:53:01 PST