Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their
borders?
Do the "default-less" ISPs filter private addresses or do they let
routing/forwarding do the work?
thanks, peter
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their
borders?Do the "default-less" ISPs filter private addresses or do they let
routing/forwarding do the work?thanks, peter
route-views.oregon-ix.net>sh ip bgp 10.0.0.0
% Network not in table
route-views.oregon-ix.net>
Looks like it.
Filter everyone... trust no one.
(aphorism of the day)
brad reynolds
ber@cwru.edu
This comes in two parts.
First, nearly all clueful providers will filter BGP announcements of
private IP space. While such announcements should never happen, they
happen amazingly often. People that filter these announcements may be...
half the Internet, but I'm cynical today.
Second, some providers filter traffic using private IP space. This is a
significantly smaller percent. One problem that you can run into if you
do filter traffic from private IP space is that if someone is using a
router using private IP space on an interface, you can break PMTU-D by
doing this filtering. Another problem (but a lesser one) is that
traceroute to sites passing through a router using a private address on an
interface will show a row of timeouts. This is the fault of the person
using private IP addresses for a router and having that router generate
ICMP messages using that address, but...
If you are using private address space internally for router interfaces or
whatever, then you want to filter it to prevent spoofing. But if you do
that then you cause problems with other people who do the exact same thing
you are doing which isn't too smart.
I do see an amazing amount of traffic (ie. attempted connections) from
machines using private addresses.
While others are far more qualified to judge numbers than I am, I wouldn't
say it is clear that most block them, but a reasonable minority do.
Out of curiousity, how does one configure the router to generate ICMP
messages of a different address (assuming IOS)?
-Richard
Peter,
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their
borders?Do the "default-less" ISPs filter private addresses or do they let
routing/forwarding do the work?
More clueful ISPs do in fact block private address space exchange via BGP.
Many also filter. Smaller ISPs tend to miss these steps, and there is
frequently someone advertising private space at the NAPs from time to
time. And some believe it, surprisingly.
Many cable networks, like Rogers and @Home use net 10 for numbering
internal devices for SNMP survellience, like modems and switches. While
INTERNIC may not mandate it, they are sensitive to 2 IP addresses per
household drawn from the public space. As such, when @Home and Rogers
merged networks, there was some private address space reconcilication
required. Thus, you cannot assume that private address space is not routed
"privately" within a given ISP's backbone. Needless to say, they are
usually very vigilant about route and packet filtering.
Regards,
Eric Carroll eric.carroll@acm.org
Tekton Internet Associates
Most people use what's commonly refered to as Martian filters to filter
out private address spacing. It allows those ISPs to use private address
space internally and not have to worry about advertising them via external
routing protocols and also keeps them from accepting bogus route
announcements from other providers who haven't used the filters.
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their
borders?Do the "default-less" ISPs filter private addresses or do they let
routing/forwarding do the work?
Default-less?
thanks, peter
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
Most people use what's commonly refered to as Martian filters to filter
out private address spacing. It allows those ISPs to use private address
space internally and not have to worry about advertising them via external
routing protocols and also keeps them from accepting bogus route
announcements from other providers who haven't used the filters.
There's an important distinction to be made, Joe, betwen filtering
_packets_ and filtering _announcements_. Martian filters usually
filter packets. What you announce, and what you send, need not have
anything to do with one another.
> Do the "default-less" ISPs filter private addresses or do they let
> routing/forwarding do the work?Default-less?
Yes: backbones whose routers have no default place to send packets not
handled by some explicit route.
Cheers,
-- jra