Block RFC1918 and RFC3330 IP ranges

I found on the Cisco website an interesting page about protecting core infrastructure which some of the network engineers do like blocking all RFC1918 private IP address ranges. But I never thought about blocking as well all RFC3330 special use IP address ranges.

I think it is worth sharing this information, see below the overview of all RFC1918 and RFC3330:

0.0.0.0/8            "This" Network
10.0.0.0/8           Private Use Networks
14.0.0.0/8           Public-Data Networks
24.0.0.0/8           Cable Television Networks
39.0.0.0/8           Reserved but subject to allocation
127.0.0.0/8          Loopback
128.0.0.0/16         Reserved but subject to allocation
169.254.0.0/16       Link Local
172.16.0.0/12        Private-Use Networks
191.255.0.0/16       Reserved but subject to allocation
192.0.0.0/24         Reserved but subject to allocation
192.0.2.0/24         Test-Net
192.88.99.0/24       6to4 Relay Anycast
192.168.0.0/16       Private-Use Networks
198.18.0.0/15        Network Interconnect Device Benchmark Testing
223.255.255.0/24     Reserved but subject to allocation
224.0.0.0/4          Multicast
240.0.0.0/4          Reserved for Future Use

I got the information directly from the RFC3330 page and it is worth having a look.

If you are a good network engineer you should block externally not only RFC1918 but as well RFC3330 address ranges because they should not traverse the public internet. Even blocking them for outbound traffic would be very useful.

Here an ASA object group:

object-group network rfc3330-subnets
  description Group of all rfc3330 subnets incl private and special use
  network-object 0.0.0.0 255.0.0.0
  network-object 10.0.0.0 255.0.0.0
  network-object 14.0.0.0 255.0.0.0
  network-object 24.0.0.0 255.0.0.0
  network-object 39.0.0.0 255.0.0.0
  network-object 127.0.0.0 255.0.0.0
  network-object 128.0.0.0 255.255.0.0
  network-object 169.254.0.0 255.255.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 191.255.0.0 255.255.0.0
  network-object 192.0.0.0 255.255.255.0
  network-object 192.0.2.0 255.255.255.0
  network-object 192.88.99.0 255.255.255.0
  network-object 192.168.0.0 255.255.0.0
  network-object 198.18.0.0 255.254.0.0
  network-object 223.255.255.0 255.255.255.0
  network-object 224.0.0.0 240.0.0.0
  network-object 240.0.0.0 240.0.0.0
  exit

Creating access-list entry on your outside and inside interface:

access-list acl_outside-inbound remark Blocking all rfc3330 ip address ranges
access-list acl_outside-inbound extended deny ip object-group rfc3330-subnets any

access-list acl_inside-outbound remark Blocking all rfc3330 ip address ranges
access-list acl_inside-outbound extended deny ip object-group rfc3330-subnets any

Here the links to both RFC1918 and RFC3330:

https://tools.ietf.org/html/rfc1918

https://tools.ietf.org/html/rfc3330

Please share!

Leave a Reply

Your email address will not be published. Required fields are marked *