Maybe I'm misreading this but...

The following traceroute seems to indicate, according to ARIN, that
someone is running routers for spammers in the IANA Reserved netspace?

First a traceroute:

world% traceroute www.libidomax.com
traceroute to www.libidomax.com (209.149.111.17), 30 hops max, 40 byte packets
1 Boston-STD-F.std.com (199.172.62.80) 17 ms 4 ms 4 ms
2 553.Hssi2-0.GW2.BOS1.ALTER.NET (157.130.10.129) 59 ms 107 ms 69 ms
3 124.ATM3-0.XR1.BOS1.ALTER.NET (146.188.176.250) 77 ms 54 ms 37 ms
4 191.ATM2-0.TR1.NYC1.ALTER.NET (146.188.179.82) 38 ms 51 ms 51 ms
5 104.ATM7-0.TR1.ATL1.ALTER.NET (146.188.136.57) 80 ms 87 ms 133 ms
6 100.ATM7-0.XR1.ATL1.ALTER.NET (146.188.232.85) 91 ms 141 ms 63 ms
7 195.ATM10-0-0.GW1.JAX1.ALTER.NET (146.188.232.169) 53 ms 81 ms 107 ms
8 bs-jackson-gw.customer.alter.net (157.130.65.226) 107 ms 132 ms 96 ms
9 172.17.80.46 (172.17.80.46) 59 ms 53 ms 44 ms
10 172.21.210.18 (172.21.210.18) 122 ms 96 ms 49 ms
11 209.149.111.17 (209.149.111.17) 53 ms (ttl=118!) 58 ms (ttl=118!) 150 ms (ttl=118!)

Ok, now let's look up the 172.* addresses:

world% arin 172.17.80.46
IANA (IANA-BBLK-RESERVED)
  Internet Assigned Numbers Authority
  Information Sciences Institute
  University of Southern California
  4676 Admiralty Way, Suite 1001
  Marina del Rey, CA 90292-6695

  Netname: IANA-BBLK-RESERVED
  Netblock: 172.16.0.0 - 172.31.0.0

  Coordinator:
     Internet Assigned Numbers Authority (IANA-ARIN) iana@iana.org
     (310) 822-1511

  Domain System inverse mapping provided by:

  BLACKHOLE.ISI.EDU 128.9.64.26
  NS2.INTERNIC.NET 198.41.0.11

and I get the same result of course for the other 172 address so I'll
save you the redundant cut and paste.

What's going on here?

The following traceroute seems to indicate, according to ARIN, that
someone is running routers for spammers in the IANA Reserved netspace?

[SNIP]

8 bs-jackson-gw.customer.alter.net (157.130.65.226) 107 ms 132 ms 96 ms
9 172.17.80.46 (172.17.80.46) 59 ms 53 ms 44 ms
10 172.21.210.18 (172.21.210.18) 122 ms 96 ms 49 ms
11 209.149.111.17 (209.149.111.17) 53 ms (ttl=118!) 58 ms (ttl=118!)

150 ms (ttl=118!)

What's going on here?

Barry, 172.16.0.0/12 is part of RFC1918 space. There is no prohibition of
addressing routers with these addresses, and in fact I do not know of a
router that will route RFC1918 space differently than any other IP address.
(Of course, you can put in filters, and many people do, but you can filter
any addresses exactly the same way.) This is a perfectly legitimate use of
RFC1918 space, as long as those hosts expect no connectivity outside their
own network. Many people use RFC1918 on WAN links and whatnot to preserve
their ARIN allocations for "real" hosts. Read the RFC for more info.

       -Barry Shein

TTFN,
patrick

I Am Not An Isp
www.ianai.net
"Think of it as evolution in action." - Niven & Pournelle

Somebody's router config is broken. This is the reserved /12 for
enterprise addresses. I would look at whoever Alternet's bs-jackson
customer is.

The following traceroute seems to indicate, according to ARIN, that
someone is running routers for spammers in the IANA Reserved netspace?

First a traceroute:

world% traceroute www.libidomax.com
traceroute to www.libidomax.com (209.149.111.17), 30 hops max, 40 byte

packets

The following traceroute seems to indicate, according to ARIN, that
someone is running routers for spammers in the IANA Reserved netspace?

Nope.

> 8 bs-jackson-gw.customer.alter.net (157.130.65.226) 107 ms 132 ms 96 ms
> 9 172.17.80.46 (172.17.80.46) 59 ms 53 ms 44 ms
>10 172.21.210.18 (172.21.210.18) 122 ms 96 ms 49 ms
>11 209.149.111.17 (209.149.111.17) 53 ms (ttl=118!) 58 ms (ttl=118!) 150 ms (ttl=118!)

Looks to me like BellSouth is using rfc-1918 private IP space for some of
their routers. Possible reasons are conservation of address space and
that it makes it difficult to directly access these routers from outside
their network.

I have heard of people doing temporary bogus route announcements and
running spam servers from someone else's or unallocated IP space...but I
don't think I've ever seen it first hand. Sadly, both my upstreams have
really tight BGP filters, so I don't get to play any of these games.

> The following traceroute seems to indicate, according to ARIN, that
> someone is running routers for spammers in the IANA Reserved netspace?
>

You are mis-reading this because the 172 addresses are not routeable. In a
traceroute, a router can say that it is any IP address it likes, but that
does not mean that you can traceroute to 172.x.y.z... It just means that the
routers are most likely using those IP addresses for private interconnect

Yea, well, just 'cause it isn't routable doesn't mean people won't
advertise it.

I see that Sprint is still winning the bogus route advertisements war
with:

1.1.1/30
1.1.1.4/30
1.1.1.8/30
1.1.1.12/30
1.1.1.16/30
1.1.1.20/30
1.1.1.24/30
2.52.228.144

Funny how when someone starts a bogus advertisement it is almost always
sprint or a sprint customer.

Doesn't this break MTU path discovery though?

No, it wouldn't. Those addresses are not routable on the global 'Net,
however, there is nothing stopping a device with an RFC1918 address from
sending a packet onto the 'Net.

Assume you have a T1 between two routers, but you are out of 'normal'
addresses. So you make the two serial ports 10.1.1.1 and 10.1.1.2.
Simple, huh? Well, anyone outside your network attempting to reach those
addresses will fail - there is no route to 10.x.x.x on the Internet. (At
least not in *my* network. Let's further assume there's a LAN on the
other side of this T1 with a MTU below 1500 bytes. Now, when you attempt
PMTU discovery to a device on that small MTU LAN (going through the T1 of
course), what happens? When the router on the opposite end of the T1 gets
the packet, it sees that the packet is "too big" and DF bit is set (as per
PMTU rules) and cannot send the packet. So what should it do? Why send an
ICMP "Datagram Too Big" error message, of course. (Type 3, "Destination
Unreachable", Code 4, "fragmentation needed and DF set". See RFC 1191,
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view-plain?number=1191, and RFC 792,
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view?792, for more info.) Just like
any other (properly functioning) router on the Internet. But what's the
source address? Why 10.1.1.1 of course. So you get a packet from RFC1918
space. Perfectly normal, perfectly acceptable, perfectly legitimate.

See, when a router gets a packet, it does not look at the source IP for
routing info. (Unless you're doing something weird like policy routing.)
So the source IP is irrelevant to a router. Hell, even the destination IP
is irrelevant as long as it's 32 bits and matches something in the router's
table (including a possible default route). I have never seen a router
vendor treat a packet with RFC1918 space in source or destination any
differently than any other packet. Unless, of course, the user manually
modifies the default behavior with filters or something - which can be done
to any address just as easily.

The point is, there is magical router fairy looking for RFC1918 space and
removing all those packets from your network. Those addresses are treated
by your router just like *any other address*. Forwarded, filtered,
whatever depending upon the rules you set up and the information it
receives dynamically.

I hope that explains everything.

TTFN,
patrick

I Am Not An Isp
www.ianai.net
"Think of it as evolution in action." - Niven & Pournelle

In article <199810161909.PAA16027@merit.edu>,

Yes. It breaks anything where ICMP messages have to get back to the
origin system because it is perfectly legitimate (or necessary if they are
used internally) for systems to filter ICMP from private address space.

Note that if there is no MTU change at that point, there is no problem
because there will never (well, almost never and the almost is dependent
on having funky/broken routers) be any reason to be unable to fragment at
that hop.

As always, http://www.worldgate.com/~marcs/mtu/ for details on PMTU-D and
why you break it and why you don't want to break it.

This is _NOT_ just one of those odd theoretical problems but I have seen
it in the real world (ATM <--> fast enet). I suspect that most people who
have this problem don't know about it and could take a lot of convincing
to understand it.

It would appear, at first glance, that an option to configure your router
to use a routed address (since most such routers have at least one routed
address) for generating such ICMP would avoid the problem, at the expense
of lying and the possible (human) confusion that could entail.

That argument is so bogus that I am amazed you are trying to use it.

Saying that using private addresses for links doesn't break PMTU-D if
there is a MTU change just because it requires other things in place to
actually break is quite irresponsible. People are clueless enough
already, don't confuse them with half truths.

The reality is, that for the Internet today where a large number of people
filter such addresses, using private addresses does break PMTU-D. They
_CAN_ put filters on any address just as easily; if I don't want traffic
from you, I can filter it. If I don't want traffic from addresses that
shouldn't be sending traffic or that I use internally, I will filter it.
If you have a MTU change on a router using private link addresses, then
the second filter implies that the first will implicitly be true anyway
for at least some traffic. It is _NOT_ correct to say that filtering
either your address or private address space has just the same effect.

differently than any other packet. Unless, of course, the user manually
modifies the default behavior with filters or something - which can be done
to any address just as easily.

That argument is so bogus that I am amazed you are trying to use it.

I was going to leave this alone, as most people were polite and at least
partially rational. But you win, I'll reply.

Saying that using private addresses for links doesn't break PMTU-D if
there is a MTU change just because it requires other things in place to
actually break is quite irresponsible. People are clueless enough
already, don't confuse them with half truths.

I am afraid that you are the one spouting factually incorrect information.
I am neither responsible for your lack of clue or your filtering. The fact
that you filter RFC1918 space may be admirable, but that does not mean that
RFC1918 breaks PMTU.

The reality is, that for the Internet today where a large number of people
filter such addresses, using private addresses does break PMTU-D. They
_CAN_ put filters on any address just as easily; if I don't want traffic
from you, I can filter it. If I don't want traffic from addresses that
shouldn't be sending traffic or that I use internally, I will filter it.
If you have a MTU change on a router using private link addresses, then
the second filter implies that the first will implicitly be true anyway
for at least some traffic. It is _NOT_ correct to say that filtering
either your address or private address space has just the same effect.

And if I use the RBL, and you are a known spammer, I can then deduce that
spamming breaks PMTU discover in much the same way. Sure, I'm just
filtering your route announcement instead of your source address, but the
PMTU is still not working. So, by your logic, spamming must break PMTU
discovery.

FACT: RFC1918 space does not break PMTU discovery. Deal with it.

I've said it before and I will say it again - the combination of private
policy decisions on some networks combined with the use of RFC1918 space on
routers with different MTU links (thanx to Steve Gibbard for that last
detail) *will* break PMTU discovery. However, if any *one* of the above
three requirements are missing, PMTU will still work just fine. Any
moderately intelligent person can plainly see from the above that RFC1918
address space in and of itself does *not* break PMTU discovery. I hope
I've made this clear enough.

If you honestly believe people are "clueless enough already", then you
should be very careful not to mislead them with "half truths".
Specifically, one should be careful to separate routing rules and private
policies. By claiming a policy followed by some (and I'd bet not even
most) providers is fact or rule, you could mislead people who are capable
deducing the perfectly deterministic behavior for themselves. I would
consider this act "irresponsible", if I thought you had any
"responsibility" to teach these people in the first place.

As for your implication that so many people on the Internet filter RFC1918
space it should just be taken for granted, I'd like to point out you
obviously didn't even read the first post in this thread. The original
post included a traceroute - through a well known provider - that showed
RFC1918 space source addresses. Guess both the original poster and his
upstream forgot to read your rules. But that's okay, lots of other
providers also forgot. Of course, it's usually smaller ones like UUNET,
Sprint (that I'm sure of), MCI and BBN (I believe).

Sorry if I'm a bit harsh, but it simply amazes me that people will respond
to an e-mail showing a traceroute with RFC1918 space and respond with
"everyone filters RFC1918, you'll never see a packet sourced from there!".

TTFN,
patrick

I Am Not An Isp
www.ianai.net
"Think of it as evolution in action." - Niven & Pournelle

In article <Pine.BSF.4.02A.9810161946280.293-100000@localhost>,

Note that if there is no MTU change at that point, there is no problem
because there will never (well, almost never and the almost is dependent
on having funky/broken routers) be any reason to be unable to fragment at
that hop.

For this to be ok, you also have to be certain that whenever you add
an interface to that router -- by adding a card, configuring a tunnel,
or anything -- that you stop and check whether you need to renumber
the 1918-using interfaces. For a dialup box, you also need to be sure
it will never create a PPP session with an MTU unequal to the MTU of
all the other interfaces. These things are possible, but it's more
likely that PMTU will be broken because no one will think about it
when adding an interface.

>
>> differently than any other packet. Unless, of course, the user manually
>> modifies the default behavior with filters or something - which can be done
>> to any address just as easily.
>
>That argument is so bogus that I am amazed you are trying to use it.

I was going to leave this alone, as most people were polite and at least
partially rational. But you win, I'll reply.

Thanks.

>Saying that using private addresses for links doesn't break PMTU-D if
>there is a MTU change just because it requires other things in place to
>actually break is quite irresponsible. People are clueless enough
>already, don't confuse them with half truths.

I am afraid that you are the one spouting factually incorrect information.
I am neither responsible for your lack of clue or your filtering. The fact
that you filter RFC1918 space may be admirable, but that does not mean that
RFC1918 breaks PMTU.

No, RFC-1918 does not break PMTU-D in any way and I have never claimed it
did.

People configuring their routers to generate packets with an invalid and
illegal (according to RFC-1918) source address are what breaks it. By
telling people that doing so doesn't break things, you are ignoring both
the fact that it does for a certain unknown percent of users and that it
violates RFC-1918. What more do you need?

>The reality is, that for the Internet today where a large number of people
>filter such addresses, using private addresses does break PMTU-D. They
>_CAN_ put filters on any address just as easily; if I don't want traffic
>from you, I can filter it. If I don't want traffic from addresses that
>shouldn't be sending traffic or that I use internally, I will filter it.
>If you have a MTU change on a router using private link addresses, then
>the second filter implies that the first will implicitly be true anyway
>for at least some traffic. It is _NOT_ correct to say that filtering
>either your address or private address space has just the same effect.

And if I use the RBL, and you are a known spammer, I can then deduce that
spamming breaks PMTU discover in much the same way. Sure, I'm just

Nope. If I filter an address, then I don't want traffic from that
address. There is a direct cause effect relationship. If I filter
RFC-1918 address space, I am filtering addresses with the explicit
definition of:

   In order to use private address space, an enterprise needs to
   determine which hosts do not need to have network layer connectivity
   outside the enterprise in the foreseeable future and thus could be
   classified as private. Such hosts will use the private address space
   defined above. Private hosts can communicate with all other hosts
   inside the enterprise, both public and private. However, they cannot
   have IP connectivity to any host outside of the enterprise. While not
   having external (outside of the enterprise) IP connectivity private
   hosts can still have access to external services via mediating
   gateways (e.g., application layer gateways).

and:

   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links. Routers in networks not
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing
   protocol error.

and:

   One might be tempted to have both public and private addresses on the
   same physical medium. While this is possible, there are pitfalls to
   such a design (note that the pitfalls have nothing to do with the use
   of private addresses, but are due to the presence of multiple IP
   subnets on a common Data Link subnetwork). We advise caution when
   proceeding in this area.

   It is strongly recommended that routers which connect enterprises to
   external networks are set up with appropriate packet and routing
   filters at both ends of the link in order to prevent packet and
   routing information leakage. An enterprise should also filter any
   private networks from inbound routing information in order to protect
   itself from ambiguous routing situations which can occur if routes to
   the private address space point outside the enterprise.

Nowhere does it imply that any legitimate use of such addresses will
result in me losing connectivity if I filter them. The only reason why
that holds true is because of people (mostly who heard someone say it was
a cool thing to do but don't themself have a clue about such things)
violating the RFC-1918 specified use of such addresses.

As for your implication that so many people on the Internet filter RFC1918
space it should just be taken for granted, I'd like to point out you
obviously didn't even read the first post in this thread. The original
post included a traceroute - through a well known provider - that showed
RFC1918 space source addresses. Guess both the original poster and his

So what? "many" certainly doesn't imply a majority.

Note that the fact that major backbones may not filter such things has
little relation to how the majority of end to end connections will see
things, since most of them don't go from a backbone to a backbone but go
from something connected to a backbone to something connected to a
backbone.

upstream forgot to read your rules. But that's okay, lots of other
providers also forgot. Of course, it's usually smaller ones like UUNET,
Sprint (that I'm sure of), MCI and BBN (I believe).

I wouldn't pay to much attention to what sprint does, since they are the
bozos that haven't heard of filtering advertisements or taking two seconds
to look at their configs before they implement them and start spewing
bogus routes to the world.

Sorry if I'm a bit harsh, but it simply amazes me that people will respond
to an e-mail showing a traceroute with RFC1918 space and respond with
"everyone filters RFC1918, you'll never see a packet sourced from there!".

I have never said such a thing, and if I implied it then I apoligize.

It is amazing how this comes up over and over, and people still defend it
somehow.

In article <Pine.BSF.4.02A.9810161946280.293-100000@localhost>,

Note that if there is no MTU change at that point, there is no problem
because there will never (well, almost never and the almost is dependent
on having funky/broken routers) be any reason to be unable to fragment at
that hop.

For this to be ok, you also have to be certain that whenever you add
an interface to that router -- by adding a card, configuring a tunnel,
or anything -- that you stop and check whether you need to renumber
the 1918-using interfaces. For a dialup box, you also need to be sure
it will never create a PPP session with an MTU unequal to the MTU of
all the other interfaces. These things are possible, but it's more
likely that PMTU will be broken because no one will think about it
when adding an interface.

If we're going to argue about this, we might as well get it completely
right. As long as the RFC1918 links are always on the smallest MTU pipes,
or on the pipes which only speak to the internal network, it won't break
anything even if everyone on the 'Net filters.

For instance, assume you have a FDDI with a MTU of 16KB pointed to your
server farm with 10.1.1.1 on it and a bunch of T1s and DS3s to random
upstreams. As long as the FDDI is incapable of originating packets that
will leave your own network (and as long as you don't filter your own
router's address) PMTU will *never* break, no matter who filters. Well, I
guess you could add another link with an MTU higher than 16KB, which I find
highly unlikely.

Another way to look at it, assume you have a PPP link with a MTU of 576.
Unless that router has something like dial-up links, the likelihood of PMTU
breaking because of an RFC1918 address on that link is nearly nil.

But then again, we've already established that the four largest providers
on the 'Net, plus several other large providers (Exodus, Above.Net,
Concentric, etc., etc.) all do not filter based on source IP address. So
the likelihood of a filter breaking PMTU due to RFC1918 space on router
links is already pretty small.

Shields, CrossLink.

TTFN,
patrick

I Am Not An Isp
www.ianai.net
"Think of it as evolution in action." - Niven & Pournelle

In article <4.0.1.19981016224901.00de6240@pariah.cncx.com>,

In article <4.0.1.19981016224901.00de6240@pariah.cncx.com>,

FACT: RFC1918 space does not break PMTU discovery. Deal with it.

If you use RFC 1918 space on the Internet, PMTU very well may not work
for you. You can place fault on whatever standard you like but that
doesn't change the *operational* issue.

Mark and I have discussed this in private. I believe this has devolved
into an argument over semantics.

Assume you use RFC1918 addressing in a private enterprise. PMTU-D will
work without a problem within that enterprise (unless you filter your own
routers). QED: RFC1918 does not break PMTU-D. However, if packets from
RFC1918 ports leave the enterprise, then there is a very real possibility
those packets will be filtered on other networks. These filters are in no
way wrong, bad or otherwise a problem. It's just something you have to
deal with "operationally".

So, using RFC1918 addresses on router ports which have any possibility of
send packets (even ICMP one-way communication) to other networks may find
their packets filtered. This means that things like PMTU-D will break.
Not using RFC1918 addressing reduces this possibility because (as Mark
pointed out) these filters are recommended by the RFC.

Does that make everyone happy? Can we get back to our regularly scheduled
furniture, carpet and spam discussions?

Shields, CrossLink.

TTFN,
patrick

I Am Not An Isp
www.ianai.net
"Think of it as evolution in action." - Niven & Pournelle

1) There is nothing inherient in the use of RFC 1918 space that will break
   PMTU.

2) In the real world, many providers filter RFC 1918 space, which has
   a good chance of breaking PMTU.

There, everyone is right. Can we all put our genitalia away and move on?

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell (800) 299-1288 v
                  CTO (925) 377-1212 v
                           NameSecure (925) 377-1414 f
Coming to the ISPF? The Forum for ISPs by ISPs http://www.ispf.com
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

The only point I am trying to make is that while there is absolutely
nothing in using address space as defined in RFC-1918 that will break
PMTU-D, using 1918 addresses for public router interfaces which send
packets to public networks (in this case, the Internet) from that address
is outside the scope of what 1918 permits and can break things when
combined with other entirely legitimate and correct practices.

As a result, it is unwise to encourage people to use 1918 addresses in
such an inappropriate way.

Since everyone agrees on this, hopefully this thread can now rest.