From owner-nanog@merit.edu Mon Oct 18 16:01:42 2004
Subject: Re: ICMP weirdness
From: Jim Popovitch <jimpop@yahoo.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: nanog@merit.edu
Date: Mon, 18 Oct 2004 17:01:39 -0400> why not that seems ok to me.. ?
>
> assuming you accept the 1918 assignment to your cable then its not unreasonable
> that you can get to other end users on that networkAcross other non-private IP space? I am not all that familiar w/
RFC1918, but I would think that this goes against it, or should I assume
that Insight Broadband is part of Comcast?
It appears likely that that _is_ the case.
It is numbered in historical 'Class A' space that AT&T owns.
Comcast did buy up a bunch of AT&T's cable operations. Both the cable TV
_and_ the internet services.
By strict definitions, your home is a _separate_ network from Comcast's
internal network.
As such:
Per RFC 1918, _you_ should be doing egress filtering, to prohibit
RFC 1918 _destination_ addresses from exiting your network _to_ Comcast's
network, as well as egress filtering of RFC 1918 _source_ address packets
(with a few special-case exceptions), to be a 'good neighbor'. In self-
defense, you should be ingress filtering any RFC 1918 destination addresses,
and any RFC 1918 source addressed packets (except for the special-case
exectptions -- ICMP redirect, unreachable, TTL exceeded, etc.).
Similarly, Comcast should be at the 'gateway' to your network, be =egress=
filtering any packets with RFC 1918 destination addresses, as well as any
RFC 1918 source address packets (except for the aforementioned special-case
exceptions)
The should *also*, be _ingress_ filtering any RFC 1918 destination
addresses coming from your network, _and_ filtering out any RFC 1918
_source_ address packets (with the same few special-case execptions) from
your network.
RFC 1918 restricts use of the 'private' address-blocks to networks under
a _single_ administrative control. It is perfectly legitimate to use
different segments of that address-space in different locations *on*the*
*same*network*, even _with_ 'routable' addresses in between them. The
RFC 1918 rule is that the 'private' addresses must not escape _from_ the
network under the adminsistrative control of that party to a network that
is controlled by 'somebody else'.
That said, a *LOT* of the world doesn't use 'strict' definitions.
Unfortunately.
Comcast apparently considers the end-user machines as simply nodes _on_their_
_network_. And, as such, does route RFC 1918 addresses 'internally' between
different locales, where different portions of that address-space are used
_on_the_Comcast_network_.