ICMP weirdness

From owner-nanog@merit.edu Mon Oct 18 16:01:42 2004
Subject: Re: ICMP weirdness
From: Jim Popovitch <jimpop@yahoo.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: nanog@merit.edu
Date: Mon, 18 Oct 2004 17:01:39 -0400

> why not that seems ok to me.. ?
> assuming you accept the 1918 assignment to your cable then its not unreasonable
> that you can get to other end users on that network

Across other non-private IP space? I am not all that familiar w/
RFC1918, but I would think that this goes against it, or should I assume
that Insight Broadband is part of Comcast?

It appears likely that that _is_ the case.

It is numbered in historical 'Class A' space that AT&T owns.

Comcast did buy up a bunch of AT&T's cable operations. Both the cable TV
_and_ the internet services.

By strict definitions, your home is a _separate_ network from Comcast's
internal network.

As such:
   Per RFC 1918, _you_ should be doing egress filtering, to prohibit
   RFC 1918 _destination_ addresses from exiting your network _to_ Comcast's
   network, as well as egress filtering of RFC 1918 _source_ address packets
   (with a few special-case exceptions), to be a 'good neighbor'. In self-
   defense, you should be ingress filtering any RFC 1918 destination addresses,
   and any RFC 1918 source addressed packets (except for the special-case
   exectptions -- ICMP redirect, unreachable, TTL exceeded, etc.).

   Similarly, Comcast should be at the 'gateway' to your network, be =egress=
   filtering any packets with RFC 1918 destination addresses, as well as any
   RFC 1918 source address packets (except for the aforementioned special-case
   The should *also*, be _ingress_ filtering any RFC 1918 destination
   addresses coming from your network, _and_ filtering out any RFC 1918
   _source_ address packets (with the same few special-case execptions) from
   your network.

RFC 1918 restricts use of the 'private' address-blocks to networks under
a _single_ administrative control. It is perfectly legitimate to use
different segments of that address-space in different locations *on*the*
*same*network*, even _with_ 'routable' addresses in between them. The
RFC 1918 rule is that the 'private' addresses must not escape _from_ the
network under the adminsistrative control of that party to a network that
is controlled by 'somebody else'.

That said, a *LOT* of the world doesn't use 'strict' definitions.


Comcast apparently considers the end-user machines as simply nodes _on_their_
_network_. And, as such, does route RFC 1918 addresses 'internally' between
different locales, where different portions of that address-space are used