What's the current consensus on exempting private network space from
source address validation? Is it recommended? Discouraged?
(One argument in favor of exceptions is that it makes PMTUD work if
transfer networks use private address space.)
What's the current consensus on exempting private network space from
source address validation? Is it recommended? Discouraged?
What you do on your internal networks and internal transit is your business.
BCP38 talks about where you connect to the rest of the world.
RFC 1918 is specific that you're supposed to get all medieval on any escaping packets:
It is strongly recommended that routers which connect enterprises to
external networks are set up with appropriate packet and routing
filters at both ends of the link in order to prevent packet and
routing information leakage. An enterprise should also filter any
private networks from inbound routing information in order to protect
itself from ambiguous routing situations which can occur if routes to
the private address space point outside the enterprise.
(One argument in favor of exceptions is that it makes PMTUD work if
transfer networks use private address space.)
And that connection that's trying to use PMTU got established across the
commodity internet, how, exactly? 
That implies you let some routing
info escape and got one of those "ambiguous routing situations".
* Valdis Kletnieks:
What's the current consensus on exempting private network space from
source address validation? Is it recommended? Discouraged?What you do on your internal networks and internal transit is your business.
BCP38 talks about where you connect to the rest of the world.
I'm seeing them across AS boundaries, otherwise I wouldn't have
bothered.
RFC 1918 is specific that you're supposed to get all medieval on any
escaping packets:
Yeah, but sometimes, the current practice moves on. 
(One argument in favor of exceptions is that it makes PMTUD work if
transfer networks use private address space.)And that connection that's trying to use PMTU got established across the
commodity internet, how, exactly?
ICMP "fragmentation needed, but DF set" messages carry the a addresses
of intermediate routers which generate them (potentially in response
to MTU drops) as source addresses, not the IP addresses of the peers
in a connection.
That implies you let some routing info escape and got one of those
"ambiguous routing situations".
Not really, I'm afraid.
BCP38-land MUST *never* see RFC1918-space traffic. Ever.
Unless you're using a border router as a NAT device, of course....
The only way your question makes sense is if someone who should know better is intending to announce some chunk of RFC1918-space via BGP.
Please tell us that is not your intent.
Aloha,
Michael.
If any long-haul carriers are originating ICMP packets for other people's
consumption from 1918 addresses rather than addresses in their address space,
it's time to name-n-shame so the rest of us can vote with our feet and
checkbooks. There's no excuse for that in this day and age.
* Valdis Kletnieks:
* Michael J. Wise:
What's the current consensus on exempting private network space from
source address validation? Is it recommended? Discouraged?(One argument in favor of exceptions is that it makes PMTUD work if
transfer networks use private address space.)
and this is a good thing?
rfc1918 packets are not supposed to reach the public internet. once you
start accommodating their doing so, the downward slope gets pretty steep
and does not end in a nice place.
randy
My bus originates in the town of bananaville, but before it finally originates at mangoburgh, it originates through 5 other towns.
Wow, that would be a confusing language to speak. 
The origin is the beginning point of something, where it is created.
http://en.wiktionary.org/wiki/origin
I'll let you off as you're German and German doesn't use any words with related etymology :>
Though really, if you know BGP you should understand the term 'origin'.
adam.
I cannot agree more with this. If you want PMTU use non-private space, there is enough really 
And saving a /24 by renumbering your core into RFC 1918 won't save you from the coming run out.
MarcoH
I once suggested something along the lines of:
interface Loopback0
ip address 1.2.3.4 255.255.255.255
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
icmp errors-from Loopback0
But I was yelled at for trying to break traceroute.
Regards,
Bill Herrin
Florian Weimer wrote:
What's the current consensus on exempting private network space from
source address validation? Is it recommended? Discouraged?(One argument in favor of exceptions is that it makes PMTUD work if
transfer networks use private address space.)
IMHO, operators who number infrastructure out of RFC1918 and then permit
internet traceroutes over it are misguided and should consider avoiding
TTL decrement (i.e using mpls without internet TTL propagation) as a
less stressful (for us) alternative to simply filtering.
Dave.
Either way, there's no excuse.
First off, remember that BCP38 and 1918 don't apply on your set of
interconnected private networks, no matter how big a net it is. You want to
filter between two of your private nets, go ahead. You don't want to, that's
OK to. The fun starts when those packets leave your network(s) and hit the
public Internet.
Now that we have that squared away...
Either that intermediate router originated the ICMP 'frag needed' packet, in
which case somebody needs to be smacked for originating a 1918-addressed packet
on the public internet, or it's forwarding the packet. And if it's forwarding
the packet, then somebody *else* needs to be smacked for injecting that packet
into the public internet.
What *possible* use case would require a 1918-sourced packet to be traversing
the public internet? We're all waiting with bated breath to hear this one.
> What does "originating" mean? Creating the packets? Or forwarding
> them?Either way, there's no excuse.
First off, remember that BCP38 and 1918 don't apply on your set of
interconnected private networks, no matter how big a net it is. You want to
filter between two of your private nets, go ahead. You don't want to, that's
OK to. The fun starts when those packets leave your network(s) and hit the
public Internet.Now that we have that squared away...
Either that intermediate router originated the ICMP 'frag needed' packet, in
which case somebody needs to be smacked for originating a 1918-addressed packet
on the public internet, or it's forwarding the packet. And if it's forwarding
the packet, then somebody *else* needs to be smacked for injecting that packet
into the public internet.What *possible* use case would require a 1918-sourced packet to be traversing
the public internet? We're all waiting with bated breath to hear this one.
It's great for showing in traceroutes who the heel is.
Do I win a prize?
... JG
Like I said, at that point it's name-n-shame time.
I very often see 1918 space in ICMP responses. It's quite dumb.
Hahahahah
How do we prevent BGP loops? Hahahhaahb
I very often see 1918 space in ICMP responses. It's quite dumb.
you wouldn't if you filtered rfc 1918 source addresses on your border.
Oh I do, just not to my workstation