RFC3330

RFC1918 is fine, it's easy enough to remember a few networks. But what if you are asked for RFC3330? Say, the question asks you to block the networks in RFC3330 on the Internet facing router. I cannot find a place on the Cisco document website for this RFC, and I don't think I can remember all these networks.

Another sample is to block ICMP Smurf and UDP Fraggle attachs. Without searching, I cannot come up with an idea what they are.

So how likely this kind of questions are asked? And if asked, what are you gonna do?

Bo

Comments

  • Cisco will generally structure it so that it is solvable. 

    For example - block 5 prefixes from RFC 3330. This is pretty darn easy when you do not panic and just think about it.....

    255.255.255.255
    0.0.0.0
    10.0.0.0
    192.168.0.0
    127.0.0.0

    On Jan 11, 2010, at 5:10 PM, bozhang wrote:

    RFC1918 is fine, it's easy enough to remember a few networks. But what if you are asked for RFC3330? Say, the question asks you to block the networks in RFC3330 on the Internet facing router. I cannot find a place on the Cisco document website for this RFC, and I don't think I can remember all these networks.

    Another sample is to block ICMP Smurf and UDP Fraggle attachs. Without searching, I cannot come up with an idea what they are.

    So how likely this kind of questions are asked?




    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Cisco will generally structure it so that it is solvable. 


    For example - block 5 prefixes from RFC 3330. This is pretty darn easy when you do not panic and just think about it.....



    255.255.255.255

    0.0.0.0

    10.0.0.0

    192.168.0.0

    127.0.0.0







    OK, so you loose the point :)

    255.255.255.255 isn't in RFC3330.

  • That is hilarious!!!!!

     

    Yeah - I would have stuck with 

     

    172.16.0.0 0.15.255.255

     

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    heheheheh...  Keep it simple!



    Just remember that the first and last of each class network. 
    0.0.0.0/8, 127.0.0.0/8.  128.0.0.0/16, 191.255.0.0/16.  192.0.0.0/24,
    223.255.255.0/24 and you have more than 5.  :)






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    bozhang wrote:


    imageAnthony
    Sequeira:

    Cisco will generally structure it so that it is solvable. 



    For example - block 5 prefixes from RFC 3330. This is pretty
    darn easy when you do not panic and just think about it.....




    255.255.255.255

    0.0.0.0

    10.0.0.0

    192.168.0.0

    127.0.0.0










    OK, so you loose the point :)

    255.255.255.255 isn't in RFC3330.







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • heheheheh...  Keep it simple!



    Just remember that the first and last of each class network. 
    0.0.0.0/8, 127.0.0.0/8.  128.0.0.0/16, 191.255.0.0/16.  192.0.0.0/24,
    223.255.255.0/24 and you have more than 5.  :)

     

    Thanks Scott! This does seem to be the best way to me!

    Bo

  • heheheheh...  Keep it simple!



    Just remember that the first and last of each class network. 
    0.0.0.0/8, 127.0.0.0/8.  128.0.0.0/16, 191.255.0.0/16.  192.0.0.0/24,
    223.255.255.0/24 and you have more than 5.  :)

     

    Thanks Scott! This does seem to be the best way to me!

    Bo

    really a good way, thanks Scott!

  • I really doubt Cisco will ask you a question about an RFC number.  It may have happened in the past, but where is RFC numbers listed in the core knowledge of the blueprint.  It's not.

    If they do, then the CCIE is nothing more than a game.  Has someone heard of an RFC number being asked before?  I mean....really?

  • When the Core Knowledge for R&S first was introduced - there were such questions. They have sobered up since.

     

    This example was about the configuration section...my point is this:

     

    It would be valid for Cisco to ask something like filter 5 RFC 3330 prefixes. That is perfectly doable and expected for an "expert" in this field. 

  • That's fair, but would they expect us to know what RFC 3330 prefixes are?  I had no clue before this thread. 

  • Yes - they actually would - same with other very famous RFCs like 1918.

     

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Yeah, I'd say it was fair game....   Any service provider that I've
    ever worked with has had different levels of bogon filtering.  RFC 3330
    is merely one interpretation of that.  So yup, common practice.






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    awilkins wrote:

    That's fair, but would they expect us to know what RFC 3330
    prefixes are?  I had no clue before this thread.  This is not core
    knowledge in my opinion.  Again, just my opinion. 







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • So Anthony/Scott, can you comment on my second question in the first post?

    "Another sample is to block ICMP Smurf and UDP Fraggle attachs. Without searching, I cannot come up with an idea what they are." Are these kinds of questions likely to be asked?

    Thanks,

    Bo

  • I have not sat the Service Provider or Security labs yet - but I have heard of these types of questions being asked - yes. 

    The great news is - notice that you can completely skip a question like this if you do not know it - and you can still pass the exam with relative ease. 

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Mmmmm....  If it were the security exam, I would this this particular
    question would be a likely topic.  



    I think the IDEA of the question is on track for what may appear on the
    real lab, but I think the topic choices would be more in-line with the
    specific track being tested on. 



    Smurf and Fraggle had to do with spoofed source addresses (you may also
    see this as RFC 2427) which is basically uRPF stuff.  :)   All you
    young folks, the Smurfs and Fraggles may be a little before your time!
    (smirk)






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    bozhang wrote:

    So Anthony/Scott, can you comment on my second question in the
    first post?

    "Another sample is to block ICMP Smurf and UDP Fraggle attachs.
    Without searching, I cannot come up with an idea what they are." Are
    these kinds of questions likely to be asked?

    Thanks,

    Bo







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Hi all,

    These RFC's seem to be popular. :-)

    Actually, I believe RFC 2827 is the one you are referring to, Scott. :-)

    In my opinion, it would be a much more valid question for them to list some prefixes, give some sort of scenario in the OEQs like with a network diagram and ask to describe one of the many ways to filter them out, where to do it etc. There are many more ways than one in the most cases, and think about the different planes, like Control Plane and Traffic Plane e.g., different techniques per setting.

    I can recommend this page: http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html

    But I would focus much more on techniques than on RFC's.

    Did you know Cisco has posted some example questions for 2 other tracks:

    http://ciscocert.custhelp.com/app/answers/detail/a_id/4667/

    This also inspires me to think that a "scenario" like question is more likely than a question: "do you remember your RFC numbers, lets see...".

    Good luck in your studies!

    Toby

     

  • How about no ip directed-broadcast (smurf), rate-limit icmp traffic (not block it) and udp echo traffic (UDP fraggle), as u dont want to have problems with troubleshooting or block various icmp types that are usefull (eg for tcp traffic pmtud:icmp type 3 subtype 4 fragmentation needed). You can find examples in the sp workbook that cover the above security concepts (bogon filtering, RTBH, uRPF, ICMP && UDP filtering) in various labs on security/services section.

     

    BR

    Orestis

     

  • These posts are AWESOME - thanks guys! 

    On Jan 13, 2010, at 10:08 AM, orestis46 wrote:

    How about no ip directed-broadcast (smurf), rate-limit icmp traffic (not block it) and udp echo traffic (UDP fraggle), as u dont want to have problems with troubleshooting or block various icmp types that are usefull (eg for tcp traffic pmtud:icmp type 3 subtype 4 fragmentation needed). You can find examples in the sp workbook that cover the above security concepts (bogon filtering, RTBH, uRPF, ICMP && UDP filtering) in various labs on security/services section.

     

    BR

    Orestis

     



    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Yeah, that one.   ;)    Oops.






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    toby wrote:

    Hi all,

    These RFC's seem to be popular. :-)

    Actually, I believe RFC 2827 is the one you are referring to,
    Scott. :-)

    In my opinion, it would be a much more valid question for them to
    list some prefixes, give some sort of scenario in the OEQs like with a
    network diagram and ask to describe one of the many ways to filter them
    out, where to do it etc. There are many more ways than one in the most
    cases, and think about the different planes, like Control Plane and
    Traffic Plane e.g., different techniques per setting.

    I can recommend this page: http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html

    But I would focus much more on techniques than on RFC's.

    Did you know Cisco has posted some example questions for 2 other
    tracks:

    http://ciscocert.custhelp.com/app/answers/detail/a_id/4667/

    This also inspires me to think that a "scenario" like question is
    more likely than a question: "do you remember your RFC numbers, lets
    see...".

    Good luck in your studies!

    Toby

     







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • If mentions RFC 1918:

    - 10.0.0.0/8

    - 172.16.0.0/12

    - 192.168.0.0/16


    If also mentions RFC3330:

    - RFC1918 blocks +

    - 127.0.0.0/8 (loopback)

    - 169.254.0.0/16 (link local)

    - 192.0.2.0/24 (TEST-NET)


    I have some doubts about what to filter on RFC3330... This RFC mentions several blocks, indeed, but many of them can be allocated from IANA to RIRs (in fact, they've been already, since there won't be any left as of Feb, 3rd 2011).

    So, these listed above are the only blocks that shouldn't be announced according to this RFC.

    This is at least my interpretation of it so far...


    Cheers. Gustavo 

Sign In or Register to comment.