[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

To: Valient Gough <vgough@xxxxxxxxx>
Subject: Re: reconsidering default exit policy
From: Lionel Elie Mamane <lionel@xxxxxxxxx>
Date: Fri, 11 Mar 2005 12:08:26 +0100
Cc: or-talk@xxxxxxxxxxxxx
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 11 Mar 2005 06:09:09 -0500
In-reply-to: <42316CC4.3080102@pobox.com>
Mail-followup-to: Lionel Elie Mamane <lionel@xxxxxxxxx>, Valient Gough <vgough@xxxxxxxxx>, or-talk@xxxxxxxxxxxxx
References: <20050310225243.GA16598@eecs.harvard.edu> <42316CC4.3080102@pobox.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i

On Fri, Mar 11, 2005 at 11:02:44AM +0100, Valient Gough wrote:
> Geoffrey Goodell wrote:
>># reject private networks (no surprises!)
>>ExitPolicy reject 0.0.0.0/255.0.0.0:*
>>ExitPolicy reject 127.0.0.0/255.0.0.0:*
>>ExitPolicy reject 10.0.0.0/255.0.0.0:*
>>ExitPolicy reject 172.16.0.0/255.240.0.0:*
>>ExitPolicy reject 192.168.0.0/255.255.0.0:*
>>ExitPolicy reject 169.254.0.0/255.255.0.0:*

> Also, is the list of private networks above exhaustive?

AFAIK, it would.

> I took my list of networks to block from my firewall list (from
> firehol.sourceforge.net):

> # IANA Reserved IPv4 address space
> # Suggested by Fco.Felix Belmonte <ffelix@xxxxxxxxxxxxx>
> # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@xxxxxxxxxxxxxxxxxxx>
> # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
> # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
> RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8
> 27.0.0.0/8 31.0
> .0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7
> 76.0.0.
> 0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7
> 176.0.0.
> 0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"

At first sight, this looks like a BOGON list; these are IP ranges that
aren't allocated to anyone NOW (plus "special use"). So if anyone uses
these addresses NOW, it is a nasty spoofer. But these addresses can
get allocated in the future, it is thus *critical* for
interoperability that these bogon filters be used ONLY if the filter
*will* get updated *often* automatically, e.g. from
http://www.cymru.com/Bogons/ . And never in "configure once and don't
touch it" mode.

I might be a good idea to filter out multicast space, though. That's
224.0.0.0/4. And other "special use" spaces:

            0.0.0.0/8		"this" network - only for source,
				never destination
            10.0.0.0/8		covered
            127.0.0.0/8		covered
            169.254.0.0/16	covered
            172.16.0.0/12	covered
            192.0.2.0/24	reserved for documentation and examples
            192.168.0.0/16	covered
            198.18.0.0/15	reserved for benchmarks
            240.0.0.0/4		"reserved for future use", and listed
	                        in the "martian" list; I suppose one
				doesn't expect assignments from this
				space before a long time, but it could
				happen, I guess. Or the space could be
				used for a totally different use.

(multicast plus reserved aggregate to 224.0.0.0/3)

TCP connections to 6to4 auto-router space (192.88.99.0/24) don't make
much sense either; we can filter those.

-- 
Lionel

Follow-Ups:
- Re: reconsidering default exit policy
  - From: Geoffrey Goodell

References:
- reconsidering default exit policy
  - From: Geoffrey Goodell
- Re: reconsidering default exit policy
  - From: Valient Gough

Prev by Author: silky and tor
Next by Author: Re: Setting up TOR
Previous by thread: Re: reconsidering default exit policy
Next by thread: Re: reconsidering default exit policy
Index(es):
- Author
- Thread