Consultation on change to RIP interception definition ("unintentional interception")

Roland Perry lists at internetpolicyagency.com
Thu Nov 18 09:07:42 GMT 2010 

In article <F3145DA6-9DB9-491B-B98F-B1FDDD9BCD11 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes

>Some part of the US Government started it (honest, guv).  They 
>presumably had an internal mail server which offered final delivery and 
>an external-facing system which was somewhat hardened (this is the 
>mid-90s, so something like Gauntlet might have been in use).    This 
>was before split-horizon DNS servers were common, so they simply published:
>
>whatever.gov. in mx 20 external.whatever.gov.
>whatever.gov. in mx 10 internal.whatever.gov.
>external.whatever.gov. in a 4.5.6.7   ;;; a globally routable IP number
>internal.whatever.gov. in a 192.168.1.1   ;;; RFC1918 private IP number
>
>This is neat, they must have thought.  Instead of having to configure 
>that pesky external system, the MX records mean it all just works: 
>senders try to contact the internal system, fail and fall back to the 
>external system, but the external system looks for a lower MX 
>preference, finds it and relays the mail.  Of course, if the sender 
>happens to have a mail server on 192.168.1.1 it'll probably break, but 
>what are the chances, right?

Hmm, I've got an internal mail server on 192.168.1.x, where I 
deliberately chose x not to be "1".

>we also advertised 10/8, 172.16/12 and 192.168/16

...

> I trust ISPs don't propagate routes for RFC1918 any more...

As the available free pool of IPv4 diminishes, the RIRs are taking a 
much closer look at what they call "noise" in /8's that they receive 
from IANA and which were supposed to be previously unregistered (and 
hence unused/unannounced). Geoff Huston at APNIC has done much of this, 
if you want the gory details.

There was a surprising (or perhaps unsurprising, depending on your point 
of view) traffic floating around looking for 1.1.1.1 and 1.2.3.4 when 
they examined 1/8 (that's 1-slash-eight) about a year ago. This week 
he's fingered 42.105.57/24 which is apparently running at a megabit a 
second if you listen to it.

In general, yes I do think ISPs have much better filters today (for 
private address space, unallocated space; and as a superset, space that 
isn't assigned by them[1]) but it's never perfect.

[1] Just in case one of their customers starts announcing some space 
they shouldn't be.
-- 
Roland Perry

More information about the ukcrypto mailing list