Consultation on change to RIP interception definition ("unintentional interception")
Roland Perry
lists at internetpolicyagency.com
Thu Nov 18 09:07:42 GMT 2010
In article <F3145DA6-9DB9-491B-B98F-B1FDDD9BCD11 at batten.eu.org>, Ian
Batten <igb at batten.eu.org> writes
>Some part of the US Government started it (honest, guv). They
>presumably had an internal mail server which offered final delivery and
>an external-facing system which was somewhat hardened (this is the
>mid-90s, so something like Gauntlet might have been in use). This
>was before split-horizon DNS servers were common, so they simply published:
>
>whatever.gov. in mx 20 external.whatever.gov.
>whatever.gov. in mx 10 internal.whatever.gov.
>external.whatever.gov. in a 4.5.6.7 ;;; a globally routable IP number
>internal.whatever.gov. in a 192.168.1.1 ;;; RFC1918 private IP number
>
>This is neat, they must have thought. Instead of having to configure
>that pesky external system, the MX records mean it all just works:
>senders try to contact the internal system, fail and fall back to the
>external system, but the external system looks for a lower MX
>preference, finds it and relays the mail. Of course, if the sender
>happens to have a mail server on 192.168.1.1 it'll probably break, but
>what are the chances, right?
Hmm, I've got an internal mail server on 192.168.1.x, where I
deliberately chose x not to be "1".
>we also advertised 10/8, 172.16/12 and 192.168/16
...
> I trust ISPs don't propagate routes for RFC1918 any more...
As the available free pool of IPv4 diminishes, the RIRs are taking a
much closer look at what they call "noise" in /8's that they receive
from IANA and which were supposed to be previously unregistered (and
hence unused/unannounced). Geoff Huston at APNIC has done much of this,
if you want the gory details.
There was a surprising (or perhaps unsurprising, depending on your point
of view) traffic floating around looking for 1.1.1.1 and 1.2.3.4 when
they examined 1/8 (that's 1-slash-eight) about a year ago. This week
he's fingered 42.105.57/24 which is apparently running at a megabit a
second if you listen to it.
In general, yes I do think ISPs have much better filters today (for
private address space, unallocated space; and as a superset, space that
isn't assigned by them[1]) but it's never perfect.
[1] Just in case one of their customers starts announcing some space
they shouldn't be.
--
Roland Perry
More information about the ukcrypto
mailing list