[sdnog] Network Security / RFC 3330
Nishal Goburdhan
nishal at controlfreak.co.za
Tue Feb 10 09:42:24 SAST 2015
Hiba Eltigani wrote:
> You can also check the current assignment for IPv4 and IPv6 ranges from
> IANA website at below links:
>
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
> http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
> http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
> On Feb 10, 2015 9:23 AM, "Daniel Shaw" <dshaw78 at gmail.com
> <mailto:dshaw78 at gmail.com>> wrote:
>> the following RFC #3330 describes IP addresses which shouldn't be
>> allowed for inbound traffic on your edge devices eg. routers.
>>
>> http://www.rfc-base.org/txt/rfc-3330.txt
>
> And, if/when you actually do so, you may find this useful:
> http://www.team-cymru.org/Services/Bogons/
>
> There are links there to download pre-formated versions of (more or
> less) the above IP ranges that can just be copy and pasted into ACLs
> for the most common router brands.
>
> - Daniel
all great information. just one thing you probably want to consider
when looking at an RFC; always go to the source. RFCs are a result of
collaborative work from the IETF, so a good place to look is at the
actual IETF website itself...
in this case, http://tools.ietf.org. if you put in 3330 into the
document search on the left, you'd have brought up the actual RFC3330.
more usefully, you would also have seen that this was updated to 5735,
and if you clicked on that you'd see the "updated updated" version is
now 6890. which, is a handy way to track changes, history and development.
there are two good things to remember here:
* the internet is a living thing; best practices and standards are
updated over time. so while most of us remember RFC1918, and now
RFC3330, it's also important to see what new changes have happened along
the way.
* always try to look at the source first; not everything you read on
the internet is true ;-) so when you refer people to
documentation/announcements, it's best to point to the origin (and
authoritative location) to avoid confusion.
nonetheless; still an important point. if the networks in sudan could
get around to doing filtering this "reserved" space in accordance with
BCP38 (aka RFC2827; which, itself has been updated) then you'll be one
step closer to making your networks more secure and more resilient to
dDOS attacks. honestly.
best,
--n.
More information about the sdnog
mailing list