[sdnog] Network Security / RFC 3330

Nishal Goburdhan nishal at controlfreak.co.za
Tue Feb 10 09:42:24 SAST 2015 

Hiba Eltigani wrote:

> You can also check the current assignment for IPv4 and IPv6 ranges from
> IANA website at below links:
>
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
> http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
> http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml

> On Feb 10, 2015 9:23 AM, "Daniel Shaw" <dshaw78 at gmail.com
> <mailto:dshaw78 at gmail.com>> wrote:
>>     the following RFC #3330 describes IP addresses which shouldn't be
>>     allowed for inbound traffic on your edge devices eg. routers.
>>
>>     http://www.rfc-base.org/txt/rfc-3330.txt
>
>     And, if/when you actually do so, you may find this useful:
>     http://www.team-cymru.org/Services/Bogons/
>
>     There are links there to download pre-formated versions of (more or
>     less) the above IP ranges that can just be copy and pasted into ACLs
>     for the most common router brands.
>
>     - Daniel


all great information.   just one thing you probably want to consider 
when looking at an RFC;  always go to the source.  RFCs are a result of 
collaborative work from the IETF, so a good place to look is at the 
actual IETF website itself...
in this case, http://tools.ietf.org.   if you put in 3330 into the 
document search on the left, you'd have brought up the actual RFC3330. 
  more usefully, you would also have seen that this was updated to 5735, 
and if you clicked on that you'd see the "updated updated" version is 
now 6890.  which, is a handy way to track changes, history and development.

there are two good things to remember here:
* the internet is a living thing;  best practices and standards are 
updated over time.  so while most of us remember RFC1918, and now 
RFC3330, it's also important to see what new changes have happened along 
the way.

* always try to look at the source first;  not everything you read on 
the internet is true  ;-)    so when you refer people to 
documentation/announcements, it's best to point to the origin (and 
authoritative location) to avoid confusion.

nonetheless;  still an important point.  if the networks in sudan could 
get around to doing filtering this "reserved" space in accordance with 
BCP38 (aka RFC2827; which, itself has been updated) then you'll be one 
step closer to making your networks more secure and more resilient to 
dDOS attacks.  honestly.

best,
--n.

More information about the sdnog mailing list